You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@allura.apache.org by Dave Brondsema <da...@brondsema.net> on 2016/06/20 22:00:34 UTC

[allura:tickets] #4644 Don't whitelist form elements in markdown processing



---

** [tickets:#4644] Don't whitelist form elements in markdown processing**

**Status:** in-progress
**Milestone:** unreleased
**Labels:** ux 
**Created:** Wed Aug 01, 2012 09:48 PM UTC by Dave Brondsema
**Last Updated:** Wed Mar 11, 2015 10:43 AM UTC
**Owner:** Dave Brondsema


`<textarea>` is whitelisted, but pretty useless (and surprising) to see rendered as a real textarea.  There doesn't seem to be a use for any form element to be rendered.

Our HTMLSanitizer preprocessor uses feedparser._HTMLSanitizer.  We could subclass that to remove items from acceptable_elements.

It would be nice if these were automatically escaped, rather than removed.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #4644 Don't whitelist form elements in markdown processing

Posted by Dave Brondsema <da...@brondsema.net>.

- **status**: in-progress --> closed



---

** [tickets:#4644] Don't whitelist form elements in markdown processing**

**Status:** closed
**Milestone:** unreleased
**Labels:** ux 
**Created:** Wed Aug 01, 2012 09:48 PM UTC by Dave Brondsema
**Last Updated:** Tue Jun 21, 2016 02:31 PM UTC
**Owner:** Dave Brondsema


`<textarea>` is whitelisted, but pretty useless (and surprising) to see rendered as a real textarea.  There doesn't seem to be a use for any form element to be rendered.

Our HTMLSanitizer preprocessor uses feedparser._HTMLSanitizer.  We could subclass that to remove items from acceptable_elements.

It would be nice if these were automatically escaped, rather than removed.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] Ticket 4644 discussion

Posted by Dave Brondsema <da...@brondsema.net>.

- **status**: open --> in-progress
- **assigned_to**: Dave Brondsema



---

** [tickets:#4644] Don't whitelist form elements in markdown processing**

**Status:** in-progress
**Milestone:** unreleased
**Labels:** ux 
**Created:** Wed Aug 01, 2012 09:48 PM UTC by Dave Brondsema
**Last Updated:** Wed Mar 11, 2015 10:43 AM UTC
**Owner:** Dave Brondsema


`<textarea>` is whitelisted, but pretty useless (and surprising) to see rendered as a real textarea.  There doesn't seem to be a use for any form element to be rendered.

Our HTMLSanitizer preprocessor uses feedparser._HTMLSanitizer.  We could subclass that to remove items from acceptable_elements.

It would be nice if these were automatically escaped, rather than removed.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #4644 Don't whitelist form elements in markdown processing

Posted by Dave Brondsema <da...@brondsema.net>.

On branch db/4644

To test, start on the master branch and create a comment/page/ticket/anything using form tags.  Then switch to this branch and that existing content (as well as any new posts) will escape the form tags.


---

** [tickets:#4644] Don't whitelist form elements in markdown processing**

**Status:** in-progress
**Milestone:** unreleased
**Labels:** ux 
**Created:** Wed Aug 01, 2012 09:48 PM UTC by Dave Brondsema
**Last Updated:** Mon Jun 20, 2016 10:00 PM UTC
**Owner:** Dave Brondsema


`<textarea>` is whitelisted, but pretty useless (and surprising) to see rendered as a real textarea.  There doesn't seem to be a use for any form element to be rendered.

Our HTMLSanitizer preprocessor uses feedparser._HTMLSanitizer.  We could subclass that to remove items from acceptable_elements.

It would be nice if these were automatically escaped, rather than removed.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.