Age | Commit message (Collapse) | Author | |
---|---|---|---|
2008-12-11 | comments: Use HTML entities to escape directives | Simon McVittie | |
2008-12-11 | Embed comments into comments_embed.tmpl rather than concatenating in perl | Simon McVittie | |
2008-12-11 | comments: use CGI module's checksessionexpiry | Simon McVittie | |
2008-12-11 | comments: remove allowhtml option, just switch it on all the time | Simon McVittie | |
Now that posts are individually sanitized, that should be safe. | |||
2008-12-11 | comments: load inline and mdwn lazily | Simon McVittie | |
2008-12-11 | comments: don't rely on mdwn getting loaded first | Simon McVittie | |
2008-12-11 | comments: sanitize the body of each comment before posting it | Simon McVittie | |
This should ensure that users can't "break out" from the enclosing <div>, making it impossible to forge comments (assuming htmlscrubber is enabled, and so is either htmlbalance or htmltidy). | |||
2008-12-11 | Fix typo that led to comments being blanked | Simon McVittie | |
2008-12-11 | postcomment: Rename plugin to comments, use *._comment files | Simon McVittie | |
The PageSpec is still called "postcomment" since that's what it means. |