+++ /dev/null
-When run with the `--sanitize` switch, which is turned on by default (see
-[[usage]]), ikiwiki sanitizes the html on pages it renders to avoid XSS
-attacks and the like.
-
-ikiwiki excludes all html tags and attributes except for those that are
-whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
-Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
-Notably it strips `style`, `link`, and the `style` attribute.
-
-ikiwiki uses the HTML::Scrubber perl module to perform its html
-sanitisation, and this perl module also deals with various entity encoding
-tricks.
-
-While I believe that this makes ikiwiki as resistant to malicious html
-content as anything else on the web, I cannot guarantee that it will
-actually protect every user of every browser from every browser security
-hole, badly designed feature, etc. I can provide NO WARRANTY, like it says
-in ikiwiki's [GPL](GPL) license.
-
-The web's security model is *fundamentally broken*; ikiwiki's html
-sanitisation is only a patch on the underlying gaping hole that is your web
-browser.
-
-----
-
-Some examples of embedded javascript that won't be let through.
-
-* <span style="background: url(javascript:window.location='http://example.org/')">test</span>
-* <span style="any: expression(window.location='http://example.org/')">test</span>
-* <span style="any: expression(window.location='http://example.org/')">test</span>