Opened 16 years ago

Closed 9 years ago

#79 closed defect (duplicate)

Strip out HTML in all user input (apart from node content)

Reported by: Dominic Hargreaves Owned by: bob
Priority: high Milestone:
Component: openguides Version: svn
Severity: major Keywords: hackfestsummer2007-reviewed review migrated
Cc:

Description

A new spamming ploy is to use <a href ... node names. This results in much easier linkspamming and should be filtered out.

Change History (20)

comment:1 Changed 16 years ago by Dominic Hargreaves

Milestone: 0.52
Status: newassigned

comment:2 Changed 16 years ago by Dominic Hargreaves

Milestone: 0.520.53
Summary: Strip out HTML in node namesStrip out HTML in all user input (apart from node content)

See also #68.

comment:3 Changed 16 years ago by Dominic Hargreaves

(In [775]) Quick fix to partially fix HTML spam problem (references #79)

comment:4 Changed 16 years ago by Dominic Hargreaves

Milestone: 0.530.54

Proper fix needs Wiki::Toolkit and better commit hooks.

comment:5 Changed 15 years ago by anonymous

hello

salut je cherche une povoir pour savi

comment:6 Changed 15 years ago by Dominic Hargreaves

Milestone: 0.58

comment:7 Changed 15 years ago by Dominic Hargreaves

Owner: Dominic Hargreaves deleted
Status: assignednew

comment:8 Changed 14 years ago by Dominic Hargreaves

Owner: set to Nobody

comment:9 Changed 14 years ago by Kake

Decision: Run all user input through CGI::escapeHTML in the commit_node method of OpenGuides.pm after we call OpenGuides::Template to extract the variables from the CGI object. Also, move Dom's temporary escaping here from OpenGuides::Template (changeset 775?).

comment:10 Changed 14 years ago by Kake

Keywords: hackfestsummer2007-reviewed added

comment:11 Changed 14 years ago by Kake

See also #22, the same person should do these.

comment:12 Changed 14 years ago by Dominic Hargreaves

Owner: changed from Nobody to Dominic Hargreaves
Status: newassigned

comment:13 Changed 14 years ago by Dominic Hargreaves

The escaping shouldn't be done in the commit_node, but in the HTML presentation logic. Some templates already use CGI.escapeHTML in them; it would probably be appropriate to do the same here.

comment:14 Changed 14 years ago by Dominic Hargreaves

TT apparently has its own internal HTML filtering capability.

comment:15 Changed 14 years ago by Dominic Hargreaves

After further consideration, Template.pm is the correct place to do this. Action: wait until #21 has been fixed (otherwise the website text cannot be filtered) and then CGI::escapeHTML all the metadata in Template->output after extract_metadata_vars has been called.

comment:16 Changed 14 years ago by Dominic Hargreaves

See also #233 - make sure that escapeHTML does what it should with quotes.

comment:17 Changed 12 years ago by Dominic Hargreaves

Owner: changed from Dominic Hargreaves to Nobody
Status: assignednew

This issue needs to be reviewed; I've lost track of exactly what the problem is, if there still is one. All metadata fields appear to be escaped correctly already.

comment:18 Changed 10 years ago by bob

Keywords: review added
Owner: changed from Nobody to bob
Severity: normalmajor

comment:20 Changed 9 years ago by bob

Resolution: duplicate
Status: newclosed
Note: See TracTickets for help on using tickets.