Fork me on GitHub
Current releases are 2.1.3 (9 Sept 2014) and 2.0.18.13 (5 Aug 2014)

Ready for 2.1? Find out if your plugins are compatible. 2.0 will no longer be updated after Dec 2014.

Major HTMLawed Security Issues

2»

Comments

  • The security issue was plugged by Todd's config changes. As long as you don't change the config to allow style/class again, you should be fine. If you use an advanced WYSIWYG editing plugin you'll probably want to consider installing the HTML Purifier plugin.

  • honestly html purifier is over hyerped, there are some use cases, but a forum is not one of them IMO. Possibly collaborative blogging that sort of scale.

    If you are doing an advanced WYSIWYG then presumably you know what you are doing. There is no reason why you couldn't use it with htmlLawed. Just many thing would be stripped out. For instance I use a class whitelist configuration of htmlLawed and use an my own tinyMCE setup, which adds the classes. I'm not worried about styling in feeds in my case. All in-line styles are stripped.

    grep is your friend.

2»
Sign In or Register to comment.