[sword-devel] RTFHTML filter not escaping HTML entities

Troy A. Griffitts scribe at crosswire.org
Mon Dec 31 10:46:19 MST 2018


I would like to point out that modules downloaded from a source other than an endorsed repository could contain all kinds of stuff the user might not like. The entire module is suspect. The .conf file is the least of worries.

I am not concerned about escaping other markup. The official position is that we don't support any other markup beyond HTML <a href...> links. The behavior of including any other markup is undefined and bad practice. I am not concerned with preventing it. Practically though 90% of our frontends use HTML displays for most everything and thus other HTML tags will likely work.

I don't see the security issue. It's like opening a Word doc attached to an email from a stranger. You are not guaranteed it won't do something unkind. This is why we have endorsed SWORD repositories. To prevent all unkind things from ever happening would be like Word trying to prevent the same. It would occupy man years and never accomplish the goal.

Thoughts?

Troy

On December 30, 2018 2:57:48 PM MST, "refdoc at gmx.net" <refdoc at gmx.net> wrote:
>_______________________________________________
>sword-devel mailing list: sword-devel at crosswire.org
>http://www.crosswire.org/mailman/listinfo/sword-devel
>Instructions to unsubscribe/change your settings at above page

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/sword-devel/attachments/20181231/33f03b48/attachment.html>


More information about the sword-devel mailing list