Closed openstreetmap-trac closed 3 years ago
Author: tom[at]compton.nu [Added to the original trac issue at 2.43am, Tuesday, 23rd June 2009]
I'm not sure there's much we can do about this - we already run the rails HTML sanitizer on it and it's impossible to guess all the stupid things somebody might do.
Author: HannesHH [Added to the original trac issue at 8.11am, Tuesday, 23rd June 2009]
A quick web search led me to this: http://www.anyexample.com/webdev/rails/how_to_allow_some_safe_html_in_rails_projects.xml
If I understand that code right, it checks the escaped content for "full" tags (opened AND closed) before converting some tags back to HTML (unescaping the <>). That means properly closed tags will work and anything else will render like text.
I am not sure if it strips unwanted attributes (like style) too like the site currently does.
Author: TomH [Added to the original trac issue at 3.42pm, Saturday, 6th March 2010]
Fixed by new sanitizer added in r20340.
Reporter: avarab[at]gmail.com [Submitted to the original trac issue database at 11.10am, Monday, 22nd June 2009]
If someone enters and unclosed HTML tag in a diary post it'll destroy the layout of the site, e.g.: