#79: Strip out HTML in all user input (apart from node content) -----------------------------------------+---------------------------------- Reporter: dom | Owner: dom Type: defect | Status: assigned Priority: high | Milestone: Component: openguides | Version: svn Severity: normal | Resolution: Keywords: hackfestsummer2007-reviewed | -----------------------------------------+---------------------------------- Comment (by dom):
After further consideration, Template.pm is the correct place to do this. Action: wait until #21 has been fixed (otherwise the website text cannot be filtered) and then CGI::escapeHTML all the metadata in Template->output after extract_metadata_vars has been called.