Geeklog Forums

I upgraded from GL 1.3.7SR2 to 1.3.7SR3 and note that many html tags are not allowed to have any attributes by default. Is this because the other attributes may offer security risks, or is it simply because the developers were trying to get the most needed functionality released as soon as possible?

Is there a risk to allowing the <hr> tag to have attributes of ALIGN, WIDTH and SIZE? Is there a problem with allowing the <BR> tag to have a CLEAR attribute?

How can we know which attributes are acceptable for users and for admin?

Thanks,

---

Kevin Horton

Also in the GL 1.3.8-1sr1 in the lib-common.php, the COM_allowedHTML is listed as COM_COM_allowedHTML. (Or are the sugar cubes I'm eating finally getting to me? ) I made a comment on the main page about this.

---

-- destr0yr
"I love deadlines. I like the whooshing sound they make as they fly by." -- Douglas Adams

The latter.

Attributes like those for alignment or size don't pose any risks. You should avoid the style attribute and probably also the id and class attributes. Attributes typically used for Javascripts etc. (like onmouseover) are also to be avoided.

The current set is a bit conservative - maybe too conservative for some sites. I'd guess that we'll find a better standard set over time.

bye, Dirk