Roundup Tracker - Issues


Author mschieder
Recipients ThomasAH, ber, mschieder, ncoghlan, rouilj
Date 2019-01-17.14:39:49
Message-id <>
Hi rouilj:

>I wonder if this could be used for some form of attack using html/iframe
>or possibly letting a <script> tag skip through. The latter would be
>really bad as without the correct restrictions in place it would be
>I think using local_replace to change < into &lt; and > into &gt;
>before passing the resulting text to local_markdown will shortcut this
>attack, but I am not positive.

Roundup passes the HTML to local_replace with the replacements ('< into
&lt;', '> into &gt;', etc).  So html/iframe and <script> tags are no

The link label ('[a safe side](') doesn't work
either, because Roundup replaces the link with '<a
href=""></a>' and commonmark
doesn't recognize the link anymore.

The e-mail links work without restrictions.

>Also have you considered implementing a document preview mode to allow
>web entry of commonmark to be tested before it is committed?

Unfortunately I don't know Roundup so well yet and therefore I can't
estimate how complex the implementation is. So I'm not sure I'll
implement it.
Date User Action Args
2019-01-17 14:39:49mschiedersetmessageid: <>
2019-01-17 14:39:49mschiedersetrecipients: + mschieder, ber, rouilj, ThomasAH, ncoghlan
2019-01-17 14:39:49mschiederlinkissue2550856 messages
2019-01-17 14:39:49mschiedercreate