Defang issues

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

Defang issues

I've just migrated my wiki to the current GitHub checkout version, and
one of the new features is MojoMojo::Formatter::Defang, a module
included by default, which attempts to prevent XSS by replacing a
number of HTML element attributes with "defang_<attribute>".

To ensure the migration did not affect the content, I generated an
HTML export of the same database using both the old version and the
current one. Then, I processed all HTML with a series of
search&replace rules, and I compared the two exports. It turned out
that numerous wiki pages had been corrupted in various ways by Defang:

* the intra-page links of footnotes and backlinks are broken
* {{YouTube ...}} is broken
* links that contain %[0-9A-F]\2 hex sequences are almost always broken
* other "special" characters in URLs are corrupted

I put up a test page at http://mojomojo.org/test/defang .

As far as I'm concerned, I've removed the Defang formatter, which
avoid all the issues above (the two exports compared identically).


Mojomojo mailing list
[hidden email]
If God is good, why do 26000 children die each day?