Apache Allura™ / Tickets / #4644 Don't whitelist form elements in markdown processing

#4644 Don't whitelist form elements in markdown processing

Milestone: v1.5.0

Status: closed

Owner: Dave Brondsema

Labels: ux (103)

Component: General

Reviewer: nobody

Updated: 2016-06-21

Created: 2012-08-01

Creator: Dave Brondsema

Private: No

<textarea> is whitelisted, but pretty useless (and surprising) to see rendered as a real textarea. There doesn't seem to be a use for any form element to be rendered.

Our HTMLSanitizer preprocessor uses feedparser._HTMLSanitizer. We could subclass that to remove items from acceptable_elements.

It would be nice if these were automatically escaped, rather than removed.

Dave Brondsema - 2013-07-16

labels: --> ux
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2016-06-20

status: open --> in-progress

assigned_to: Dave Brondsema
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2016-06-21

On branch db/4644

To test, start on the master branch and create a comment/page/ticket/anything using form tags. Then switch to this branch and that existing content (as well as any new posts) will escape the form tags.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2016-06-21

status: in-progress --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2016-08-22

Milestone: unreleased --> v1.5.0
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Apache Allura™

Forge software for hosting software projects

Milestone

Searches

Help

#4644 Don't whitelist form elements in markdown processing

Related

Discussion