Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict the use of HTML and JavaScript in stories and comments #64

Closed
GoogleCodeExporter opened this issue Apr 4, 2015 · 8 comments
Closed

Restrict the use of HTML and JavaScript in stories and comments #64

GoogleCodeExporter opened this issue Apr 4, 2015 · 8 comments
Labels
security
Milestone
Release 1.5

Comments

@GoogleCodeExporter
Copy link 

To prevent users from saving possibly malicious HTML and JavaScript in
comments and stories, at blogger.de, University of Erlangen and twoday.net,
the user input is sanitized. Maybe that (or something similar) could be
integrated in Antville?

phoque describing his changes (antville 1.1):
http://groups.google.com/group/antville-dev/browse_thread/thread/79db3c73f3e9d62
8

The settings at blogger.de (in app.properties):
<code># allowedTags: List of tags/attributes that are allowed for a story,
resp.
# for a comment. All other tags/attributes are being removed. This
# should guarantee that no users can insert malicious (script) code, esp.
# the XMLHttpRequest-Object. By adding '%[.]' to this list, it is possible
# to allow macros to be inserted.
allowedTagsForStory   = textmodule, hypertextmodule, legacymodule,
editmodule, listmodule, targetmodule, presentationmodule, tablemodule,
imagemodule, objectmodule, custommodule, iframemodule, %[.]
allowedTagsForComment = textmodule, hypertextmodule, legacymodule,
editmodule, presentationmodule, %[.], imagemodule

# allowedTagsForStory = a[name|href|target|title|hreflang], strong, b,
em, i, strike, p[align], ol, ul, li, br, nobr, wbr,
img[src|border|alt|title|width|height|align], blockquote[cite],
div[align], pre, code, center, cite,
table[border|cellpadding|cellspacing|width|height|bgcolor],
th[width|height|align|valign|colspan|rowspan],
tr[width|height|align|valign|colspan|rowspan],
td[width|height|align|valign|colspan|rowspan], q[cite], samp, kbd,
var, dfn, acronym, abbr, ins, del, hr[size|width|align],
font[size|color|face], basefont[size|color|face], big, small, tt, sub,
sup, s, blink
# allowedTagsForComment = a[name|href|target|title|hreflang], strong,
b, em, i, strike, p[align], ol, ul, li, br, nobr, wbr,
img[src|border|alt|title|width|height|align], blockquote[cite],
div[align], pre, code, center, cite, q[cite], samp, kbd, var, dfn,
acronym, abbr, ins, del, font[size|color|face],
basefont[size|color|face], big, small, tt, sub, sup, s, blink</code>

Well, <i>blink</i> should have been omitted.

Original issue reported on code.google.com by kinomu.w...@gmail.com on 20 Dec 2009 at 7:06

Attachments:
@GoogleCodeExporter
Copy link
Author 

[deleted comment]

1 similar comment
@GoogleCodeExporter
Copy link
Author 

[deleted comment]

@GoogleCodeExporter
Copy link
Author

Original comment by interf...@p3k.org on 18 Jan 2010 at 11:32

  • Added labels: Milestone-Release-1.2

@GoogleCodeExporter
Copy link
Author 

Postponed to 1.3.

Original comment by interf...@p3k.org on 23 Apr 2010 at 8:10

  • Added labels: Milestone-Release-1.3
  • Removed labels: Milestone-Release-1.2

@GoogleCodeExporter
Copy link
Author

Original comment by interf...@p3k.org on 29 May 2011 at 9:08

  • Added labels: Milestone-Release-1.4

@GoogleCodeExporter
Copy link
Author

Original comment by m...@tobischaefer.com on 28 Jul 2013 at 8:50

  • Added labels: Milestone-Release-1.5
  • Removed labels: Milestone-Release-1.4

@GoogleCodeExporter
Copy link
Author 

This issue was closed by revision 86edcaac33b0.

Original comment by interf...@p3k.org on 22 Mar 2015 at 4:23

  • Changed state: Fixed

@GoogleCodeExporter
Copy link
Author 

This issue was closed by revision 95d3a7f6cb5c.

Original comment by interf...@p3k.org on 25 Mar 2015 at 10:32

@p3k p3k modified the milestone: Release 1.5 Apr 7, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
Release 1.5
Development

No branches or pull requests
2 participants
@p3k @GoogleCodeExporter