You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by "Glen Mazza (JIRA)" <ji...@apache.org> on 2013/01/05 21:50:12 UTC
[jira] [Closed] (ROL-1196) Safe comments: strip HTML from comment
name, URL and email addresses
[ https://issues.apache.org/jira/browse/ROL-1196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Glen Mazza closed ROL-1196.
---------------------------
> Safe comments: strip HTML from comment name, URL and email addresses
> --------------------------------------------------------------------
>
> Key: ROL-1196
> URL: https://issues.apache.org/jira/browse/ROL-1196
> Project: Roller
> Issue Type: Bug
> Components: Comments
> Affects Versions: 2.3
> Reporter: David Johnson
> Assignee: David Johnson
> Fix For: 2.3.1
>
>
> See title.
> We allow users to use HTML in comment body, but we strip all but a "safe subset" of HTML when we display the coment. However, we don't do any HTML stripping safe-subsetting on the comment name, HTML or url. That leaves Roller open to XSS attacks by commenters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira