Open toirl opened 8 years ago
Currently the escaping for the body of the news item is explicit disabled in https://github.com/ringo-framework/ringo_news/blob/master/ringo_news/newslist.mako#L19 to allow HTML tags.
This is currently needed to replace the newlines with html breaks. It also makes it possible to write news containing html markup and even javascript.
What are possible options here to solve this security thread?
Currently the escaping for the body of the news item is explicit disabled in https://github.com/ringo-framework/ringo_news/blob/master/ringo_news/newslist.mako#L19 to allow HTML tags.
This is currently needed to replace the newlines with html breaks. It also makes it possible to write news containing html markup and even javascript.
What are possible options here to solve this security thread?