Opened 10 years ago

Closed 5 years ago

#130 closed task (wontfix)

Remove possibility to add HTML in adminwords

Reported by: Matthias Hess (globetrotter_tt) Owned by:
Priority: major Milestone: unassigned
Component: BW General Keywords: admin adminwords HTML security risk
Cc:

Description

I just notoiced, that it is possible to add HTML in adminwords. Not as it is a security risk, it also messes up the layout when a translator fills in markup there.

So please NO HTML in adminwords.

Change History (11)

comment:1 Changed 10 years ago by micha

  • Reporter changed from micha to Matthias Hess (globetrotter_tt)

comment:2 Changed 10 years ago by lemon-head

ok, but...

For instance, on start page I added a link to the "Join a team" wiki page, using the translation system. This might be a dirty method, but is it really necessary to hard-code every hyperlink? Should we not allow some freedom for the people who write our texts? Without creating a ticket!

Maybe bbcode can be the solution?

comment:3 Changed 10 years ago by lemon-head

moreover, this allows to have specific stuff for each language. For instance, if we have a special page somewhere for french-speaking people, then the translators have the possibility to place a link to this page only in the french version..

Or do we have other methods for publishing?

comment:4 Changed 10 years ago by jeanyves

  • follow_up set to none

Please before someone tocuh this get in contact with me

this is also to be connected to some words improvments :

  • variable in words
  • words calling other words
  • may be wikilike syntax for words, etc , etc

comment:5 Changed 10 years ago by ocal5

Sure, when we have to put a <b>, we have to never forget to put another </b>... but it's very often usefull to add some <br> in order to get something readable.
so, if it will be possible, wiki syntax or something like, will be a good solution, to me (because no more security risk). But don't seem that easy to do. Good luck !

comment:6 Changed 10 years ago by lemon-head

What exactly is the security problem: To have this stuff in the database, or to have it displayed on a page?

comment:7 Changed 10 years ago by jeanyves

I don't think this is such a big problem. I agree that if future some alternative is to be find.

When a closing tag is missing it generally quicly fixed.

May be it make sense however to forbid some html, but <b> <a> may be <img > are for now very usefull.
About security, for now we are to consider that translator are quite trustable people, I think this is the case

IMHO : this problem, which is a real one I agree, is a less urgent issue.

comment:8 Changed 10 years ago by lemon-head

See also #371 - "sanitize translations"

comment:9 Changed 10 years ago by jeanyves

  • freq_reported set to 1
  • Priority changed from critical to major
  • show_on_bw set to 0

Reducing the priority (@Matthias, this is mainly because I think they are other task with higher priority, the ticket still make sense, but will probably need lot of discussions)

comment:10 Changed 5 years ago by jsfan

  • Milestone Future deleted

Milestone Future deleted

comment:11 Changed 5 years ago by shevek

  • Milestone set to unassigned
  • Resolution set to wontfix
  • Status changed from new to closed

Closing as the translation team seems to make a good job even with the HTML around in a lot of admin words.

Note: See TracTickets for help on using tickets.