BLOG-128: Cannot use HTML5 in Blog Posts #28
Conversation
Fix suggested by @mflorea . Thank you
There was a problem hiding this comment.
This has a huge implication: user-entered html is completely unprocessed. In theory, scripting attacks can be entered even with a valid cleaned html with the current cleaning process, so unless someone uses a stronger cleaning process, the old behavior doesn't prevent js hacks. Still, someone entering malformed html can completely break the layout of the page without the clean.
A proper fix would be to use an HTML5 aware cleaner.
I'm slightly -1 on merging this.
|
Still, the preview of blog post allow HTML5, so there is no clean up there. So we either fix the clean up in Preview, of fix this. They should be consistent. |
|
@sdumitriu While I understand the concern, I kinda join @evalica's point of view: if it's not done everywhere and everytime, making it happen only for the blog is not protecting much, is only creating inconsistencies and raised eyebrows on usage... |
|
With XWiki 14.1RC1, this change won't be necessary anymore to allow HTML 5 as the HTML macro will allow HTML 5 when the target syntax is HTML 5 (see XRENDERING-509 and my comment on BLOG-128). I don't have the permission to close the issue or this pull request, feel free to close them if you consider this fixed. |
Issues described at https://jira.xwiki.org/browse/BLOG-128
Fix suggested by @mflorea . Thank you
After:
