You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@roller.apache.org by "Glen Mazza (JIRA)" <ji...@apache.org> on 2013/01/05 21:50:12 UTC

[jira] [Closed] (ROL-1196) Safe comments: strip HTML from comment name, URL and email addresses

     [ https://issues.apache.org/jira/browse/ROL-1196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Glen Mazza closed ROL-1196.
---------------------------

    
> Safe comments: strip HTML from comment name, URL and email addresses
> --------------------------------------------------------------------
>
>                 Key: ROL-1196
>                 URL: https://issues.apache.org/jira/browse/ROL-1196
>             Project: Roller
>          Issue Type: Bug
>          Components: Comments
>    Affects Versions: 2.3
>            Reporter: David Johnson
>            Assignee: David Johnson
>             Fix For: 2.3.1
>
>
> See title.
> We allow users to use HTML in comment body, but we strip all but a "safe subset" of HTML when we display the coment. However, we don't do any HTML stripping safe-subsetting on the comment name, HTML or url.  That leaves Roller open to XSS attacks by commenters.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira