Fork me on GitHub
Please upgrade to 2.1.x here. The 2.0 branch is no longer being updated.
You should grab 2.1.9, released 18 March. It's what all the cool kids are doing.

Major HTMLawed Security Issues



  • The security issue was plugged by Todd's config changes. As long as you don't change the config to allow style/class again, you should be fine. If you use an advanced WYSIWYG editing plugin you'll probably want to consider installing the HTML Purifier plugin.

  • honestly html purifier is over hyerped, there are some use cases, but a forum is not one of them IMO. Possibly collaborative blogging that sort of scale.

    If you are doing an advanced WYSIWYG then presumably you know what you are doing. There is no reason why you couldn't use it with htmlLawed. Just many thing would be stripped out. For instance I use a class whitelist configuration of htmlLawed and use an my own tinyMCE setup, which adds the classes. I'm not worried about styling in feeds in my case. All in-line styles are stripped.

    grep is your friend.

Sign In or Register to comment.