Strip out HTML in all user input (apart from node content)

[dom]

A new spamming ploy is to use <a href ... node names. This results in much easier linkspamming and should be filtered out.

[dom]

See also #68.

[dom]

(In [775]) Quick fix to partially fix HTML spam problem (references #79)

[dom]

Proper fix needs Wiki::Toolkit and better commit hooks.

[anonymous]

hello

salut je cherche une povoir pour savi

[Kake]

Decision: Run all user input through CGI::escapeHTML in the commit_node method of OpenGuides.pm after we call OpenGuides::Template to extract the variables from the CGI object. Also, move Dom's temporary escaping here from OpenGuides::Template (changeset

Error: Failed to load processor 775

No macro or processor named '775' found

).

[Kake]

See also #22, the same person should do these.

[dom]

The escaping shouldn't be done in the commit_node, but in the HTML presentation logic. Some templates already use CGI.escapeHTML in them; it would probably be appropriate to do the same here.

[dom]

TT apparently has its own internal HTML filtering capability.

[dom]

After further consideration, Template.pm is the correct place to do this. Action: wait until #21 has been fixed (otherwise the website text cannot be filtered) and then CGI::escapeHTML all the metadata in Template->output after extract_metadata_vars has been called.

[dom]

See also #233 - make sure that escapeHTML does what it should with quotes.