Fork me on GitHub
Current release is 2.1.6 (21 Nov 2014).

Users who have not yet upgraded to 2.1 should get security release 2.0.18.14 (1 Nov 2014). We will stop providing these security releases to 2.0 at the end of this year.

Major HTMLawed Security Issues

2»

Comments

  • The security issue was plugged by Todd's config changes. As long as you don't change the config to allow style/class again, you should be fine. If you use an advanced WYSIWYG editing plugin you'll probably want to consider installing the HTML Purifier plugin.

  • honestly html purifier is over hyerped, there are some use cases, but a forum is not one of them IMO. Possibly collaborative blogging that sort of scale.

    If you are doing an advanced WYSIWYG then presumably you know what you are doing. There is no reason why you couldn't use it with htmlLawed. Just many thing would be stripped out. For instance I use a class whitelist configuration of htmlLawed and use an my own tinyMCE setup, which adds the classes. I'm not worried about styling in feeds in my case. All in-line styles are stripped.

    grep is your friend.

2»
Sign In or Register to comment.