Issue tracker moved to https://gitlab.archlinux.org/archlinux/aurweb/-/issues
FS#2613 - What HTML are allowed in comment field?
Attached to Project:
AUR web interface
Opened by Sergio Jovani Guzman (moret) - Tuesday, 19 April 2005, 07:58 GMT
Last edited by Simo Leone (neotuli) - Friday, 22 April 2005, 03:31 GMT
Opened by Sergio Jovani Guzman (moret) - Tuesday, 19 April 2005, 07:58 GMT
Last edited by Simo Leone (neotuli) - Friday, 22 April 2005, 03:31 GMT
|
DetailsI've seen that comments supports html, like <b>, but it can be dangerous if you limit this use. javascript or another are dangerous. Is it limited? If it's not, I know a php function in order to remove any html code.
-------------------------------------------- function html($comment) { $comment = trim($comment) ; $comment = htmlspecialchars($comment) ; return $comment ; } -------------------------------------------- And you can use it... -------------------------------------------- $comment = "<a href="">...</a>..."; $comment = html($comment); echo $comment; -------------------------------------------- Bye! |
This task depends upon
I tested this out, it's no joke, you can embed the hell as much javascript as you want to in a comment.
http://aur.archlinux.org/packages.php?do_Details=1&ID=55 . And that's just a harmless example.
I was also able to make it so that the package page was never displayed, but user is immediatly redirected to wherever.
I suppose the list goes on.
This needs to get taken care of. NOW.
Only thing I can think of would be allowing certain tags, like bold italic and so forth. But then again these are just package comments, not a forum.