Weekly Edition
Return to the Security page
| |||||||||||||
Cross-site scripting here at LWNWe would like to thank Marti Raudsepp for letting us know about a security hole in the comment submission code for the site. We believe it is now fixed and, in general, that we have tightened up our HTML handling for comments. As part of that, we removed support for many attributes on HTML tags by whitelisting a small set of attributes. We might very well have been over-zealous and removed support for legitimate attributes. Please let us know at lwn@lwn.net if that is the case. We would also like to remind folks that we encourage anyone who finds a security problem with the site to contact us (lwn@lwn.net works for that too). We give prompt attention to such things and thank anyone reporting them—rather than, say, turning them over to law enforcement. (Log in to post comments)
Cross-site scripting here at LWN Posted Nov 5, 2009 8:08 UTC (Thu) by Klavs (subscriber, #10563) [Link]
IMHO it would be easier to find such issues, if one had the code - to quickly find places that could be troublesome and worth a closer look (instead of "blackboxing").
Why was it that you didn't decide to release the site code afterall?
"messy" code is not a real exscuse.
Cross-site scripting here at LWN Posted Nov 5, 2009 8:10 UTC (Thu) by Klavs (subscriber, #10563) [Link]
arghh - an edit feature would have been nice.. I hope you understand what I mean, despite my bad wording.
Cross-site scripting here at LWN Posted Nov 5, 2009 10:05 UTC (Thu) by epa (subscriber, #39769) [Link]
Could you enable use of the <q> tag?
|
|||||||||||||