From 6652de5e1abcaac3ee2f4bf17e5a4b847fcadb0d Mon Sep 17 00:00:00 2001 From: joey Date: Fri, 5 May 2006 05:41:11 +0000 Subject: * Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber and --disable-plugin htmlscrubber. --- doc/htmlsanitization.mdwn | 30 ------------------------------ 1 file changed, 30 deletions(-) delete mode 100644 doc/htmlsanitization.mdwn (limited to 'doc/htmlsanitization.mdwn') diff --git a/doc/htmlsanitization.mdwn b/doc/htmlsanitization.mdwn deleted file mode 100644 index 2c814e8e4..000000000 --- a/doc/htmlsanitization.mdwn +++ /dev/null @@ -1,30 +0,0 @@ -When run with the `--sanitize` switch, which is turned on by default (see -[[usage]]), ikiwiki sanitizes the html on pages it renders to avoid XSS -attacks and the like. - -ikiwiki excludes all html tags and attributes except for those that are -whitelisted using the same lists as used by Mark Pilgrim's Universal Feed -Parser, documented at . -Notably it strips `style`, `link`, and the `style` attribute. - -ikiwiki uses the HTML::Scrubber perl module to perform its html -sanitisation, and this perl module also deals with various entity encoding -tricks. - -While I believe that this makes ikiwiki as resistant to malicious html -content as anything else on the web, I cannot guarantee that it will -actually protect every user of every browser from every browser security -hole, badly designed feature, etc. I can provide NO WARRANTY, like it says -in ikiwiki's [GPL](GPL) license. - -The web's security model is *fundamentally broken*; ikiwiki's html -sanitisation is only a patch on the underlying gaping hole that is your web -browser. - ----- - -Some examples of embedded javascript that won't be let through. - -* test -* test -* test -- cgit v1.2.3