ringo-framework / ringo_news

News extension for the Ringo framework
GNU General Public License v3.0
0 stars 1 forks source link

XSS possible in News #1

Open toirl opened 8 years ago

toirl commented 8 years ago

Currently the escaping for the body of the news item is explicit disabled in https://github.com/ringo-framework/ringo_news/blob/master/ringo_news/newslist.mako#L19 to allow HTML tags.

This is currently needed to replace the newlines with html breaks. It also makes it possible to write news containing html markup and even javascript.

What are possible options here to solve this security thread?