Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BLOG-128: Cannot use HTML5 in Blog Posts #28

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

evalica
Copy link
Member

@evalica evalica commented Jan 16, 2019

Issues described at https://jira.xwiki.org/browse/BLOG-128

Fix suggested by @mflorea . Thank you

After:
expected

Copy link
Member

@sdumitriu sdumitriu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has a huge implication: user-entered html is completely unprocessed. In theory, scripting attacks can be entered even with a valid cleaned html with the current cleaning process, so unless someone uses a stronger cleaning process, the old behavior doesn't prevent js hacks. Still, someone entering malformed html can completely break the layout of the page without the clean.

A proper fix would be to use an HTML5 aware cleaner.

I'm slightly -1 on merging this.

@evalica
Copy link
Member Author

evalica commented Jan 22, 2019

Still, the preview of blog post allow HTML5, so there is no clean up there. So we either fix the clean up in Preview, of fix this. They should be consistent.
A "HTML5 aware cleaner" would be ideal.
The PR solution maybe it's more hackish, but can be applies for the people that need it.
Thanks for the input.

@lucaa
Copy link
Member

lucaa commented Nov 16, 2020

@sdumitriu While I understand the concern, I kinda join @evalica's point of view: if it's not done everywhere and everytime, making it happen only for the blog is not protecting much, is only creating inconsistencies and raised eyebrows on usage...

@michitux
Copy link

With XWiki 14.1RC1, this change won't be necessary anymore to allow HTML 5 as the HTML macro will allow HTML 5 when the target syntax is HTML 5 (see XRENDERING-509 and my comment on BLOG-128). I don't have the permission to close the issue or this pull request, feel free to close them if you consider this fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants