#79: Strip out HTML in all user input (apart from node content) -----------------------------------------+---------------------------------- Reporter: dom | Owner: dom Type: defect | Status: assigned Priority: high | Milestone: Component: openguides | Version: svn Severity: normal | Resolution: Keywords: hackfestsummer2007-reviewed | -----------------------------------------+---------------------------------- Comment (by dom):
The escaping shouldn't be done in the commit_node, but in the HTML presentation logic. Some templates already use CGI.escapeHTML in them; it would probably be appropriate to do the same here.
openguides-tickets@lists.openguides.org