Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

Railsport doesn't validate HTML in diary entries #1984

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 3 comments
Closed

Railsport doesn't validate HTML in diary entries #1984

openstreetmap-trac opened this issue Jul 23, 2021 · 3 comments

Comments

@openstreetmap-trac
Copy link

Reporter: avarab[at]gmail.com
[Submitted to the original trac issue database at 11.10am, Monday, 22nd June 2009]

If someone enters and unclosed HTML tag in a diary post it'll destroy the layout of the site, e.g.:

<div>
@openstreetmap-trac
Copy link
Author

Author: tom[at]compton.nu
[Added to the original trac issue at 2.43am, Tuesday, 23rd June 2009]

I'm not sure there's much we can do about this - we already run the rails HTML sanitizer on it and it's impossible to guess all the stupid things somebody might do.

@openstreetmap-trac
Copy link
Author

Author: HannesHH
[Added to the original trac issue at 8.11am, Tuesday, 23rd June 2009]

A quick web search led me to this:
http://www.anyexample.com/webdev/rails/how_to_allow_some_safe_html_in_rails_projects.xml

If I understand that code right, it checks the escaped content for "full" tags (opened AND closed) before converting some tags back to HTML (unescaping the <>). That means properly closed tags will work and anything else will render like text.

I am not sure if it strips unwanted attributes (like style) too like the site currently does.

@openstreetmap-trac
Copy link
Author

Author: TomH
[Added to the original trac issue at 3.42pm, Saturday, 6th March 2010]

Fixed by new sanitizer added in r20340.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant