Quantcast

Defang issues

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Defang issues

dandv
Administrator
I've just migrated my wiki to the current GitHub checkout version, and
one of the new features is MojoMojo::Formatter::Defang, a module
included by default, which attempts to prevent XSS by replacing a
number of HTML element attributes with "defang_<attribute>".

To ensure the migration did not affect the content, I generated an
HTML export of the same database using both the old version and the
current one. Then, I processed all HTML with a series of
search&replace rules, and I compared the two exports. It turned out
that numerous wiki pages had been corrupted in various ways by Defang:

* the intra-page links of footnotes and backlinks are broken
* {{YouTube ...}} is broken
* links that contain %[0-9A-F]\2 hex sequences are almost always broken
* other "special" characters in URLs are corrupted

I put up a test page at http://mojomojo.org/test/defang .

As far as I'm concerned, I've removed the Defang formatter, which
avoid all the issues above (the two exports compared identically).

--
Dan

_______________________________________________
Mojomojo mailing list
[hidden email]
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/mojomojo
If God is good, why do 26000 children die each day?
Loading...