Ticket #130 (new developer task)
Remove possibility to add HTML in adminwords
| Reported by: | Matthias Hess (globetrotter_tt) | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | unassigned |
| Component: | BW General | Keywords: | admin adminwords HTML security risk |
| Cc: |
Description
I just notoiced, that it is possible to add HTML in adminwords. Not as it is a security risk, it also messes up the layout when a translator fills in markup there.
So please NO HTML in adminwords.
Change History
comment:1 Changed 5 years ago by micha
- Reporter changed from micha to Matthias Hess (globetrotter_tt)
comment:2 Changed 5 years ago by lemon-head
ok, but...
For instance, on start page I added a link to the "Join a team" wiki page, using the translation system. This might be a dirty method, but is it really necessary to hard-code every hyperlink? Should we not allow some freedom for the people who write our texts? Without creating a ticket!
Maybe bbcode can be the solution?
comment:3 Changed 5 years ago by lemon-head
moreover, this allows to have specific stuff for each language. For instance, if we have a special page somewhere for french-speaking people, then the translators have the possibility to place a link to this page only in the french version..
Or do we have other methods for publishing?
comment:4 Changed 4 years ago by jeanyves
- follow_up set to none
Please before someone tocuh this get in contact with me
this is also to be connected to some words improvments :
- variable in words
- words calling other words
- may be wikilike syntax for words, etc , etc
comment:5 Changed 4 years ago by ocal5
Sure, when we have to put a <b>, we have to never forget to put another </b>... but it's very often usefull to add some <br> in order to get something readable. so, if it will be possible, wiki syntax or something like, will be a good solution, to me (because no more security risk). But don't seem that easy to do. Good luck !
comment:6 Changed 4 years ago by lemon-head
What exactly is the security problem: To have this stuff in the database, or to have it displayed on a page?
comment:7 Changed 4 years ago by jeanyves
I don't think this is such a big problem. I agree that if future some alternative is to be find.
When a closing tag is missing it generally quicly fixed.
May be it make sense however to forbid some html, but <b> <a> may be <img > are for now very usefull. About security, for now we are to consider that translator are quite trustable people, I think this is the case
IMHO : this problem, which is a real one I agree, is a less urgent issue.
comment:9 Changed 4 years ago by jeanyves
- Priority changed from critical to major
- freq_reported set to 1
- show_on_bw set to 0
Reducing the priority (@Matthias, this is mainly because I think they are other task with higher priority, the ticket still make sense, but will probably need lot of discussions)
