Closed paul90 closed 9 years ago
Mystery solved. Thanks.
I agree that we have an obligation to escape or sanitize any unknown content we serve. But I'm thinking that escaping is the better choice except for the one case of item.type html.
Think that is better.
Rather than pass the whole page to wiki.resolveLinks, which by default will escape the pages HTML, we resolve any links in each story item. We will also extract any text from other story types, rather than just present the story item type. Any links in this text are resolved, and the output sanitized.