Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Exclude attributes starting "on" on HTML elements
Because: * It doesn't work well with TW5's refresh mechanism, which relies on being able to regenerate any portion of the DOM as required; this frequently causes inline handlers to be re-executed at unexpected times (see http://tiddlywiki.com/static/TiddlyWiki%2520for%2520Developers.html) * It mixes TW5 version-specific JavaScript with user content * In multiuser environments there is a security risk to importing or viewing tiddlers you didn't author if they can have JavaScript in them
- Loading branch information
Jermolene
committed
Mar 12, 2014
1 parent
0d18f3c
commit d0caf21
Showing
2 changed files
with
10 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
d0caf21
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depending on how much this is about user security as opposed to merely being about robust operation, you may want to go a bit further than that.
The latter sections of the Sanitization page in the docs for the Python Universal Feed Parser module have some good examples of other ways Javascript execution can be accomplished.
If your really want secure and don't need an explanation of the "why", there's also the WHATWG's Sanitization rules wiki page, which evolved from feedparser's rules.
d0caf21
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At this point I'm not trying to fully sanitise our way around the more obscure browser issues, but to try to ensure that authors don't start using dangerous patterns, like inline event handlers script tags.