briefly describe XSS issue

author smcv <smcv@web>

Tue, 22 Mar 2016 06:45:03 +0000 (02:45 -0400)

committer admin <admin@branchable.com>

Tue, 22 Mar 2016 06:45:03 +0000 (02:45 -0400)
author smcv <smcv@web>
Tue, 22 Mar 2016 06:45:03 +0000 (02:45 -0400)
committer admin <admin@branchable.com>
Tue, 22 Mar 2016 06:45:03 +0000 (02:45 -0400)
diff --git a/doc/plugins/contrib/remark.mdwn b/doc/plugins/contrib/remark.mdwn

index 20f5b7d7e2ec9b45bc423d1c5db707f77ced688b..8c178321feb22f61ad6ddbeac168028c8513aedd 100644 (file)
--- a/doc/plugins/contrib/remark.mdwn
+++ b/doc/plugins/contrib/remark.mdwn
@@ -21,10 +21,11 @@ not elegantly). Clicking through to the slides works right, of course.
  
  See [[Discussion#inline]].
  
-## Concern: safety of web-editing
+## Problem: safety of web-editing
  
-Even though `remarkpage.tmpl` has no action links, is it still possible
-for someone to trick their way into web-editing a slide deck? And if
-they do, is that dangerous?
+This plugin is not currently safe for wikis where `.remark` pages can be
+edited by untrusted users; the [[plugins/htmlscrubber]] is unlikely to be
+able to prevent cross-site scripting in this plugin. Make sure only trusted
+(administrative) users can create or edit `.remark` pages.
  
  See [[Discussion#editing]].
author	smcv <smcv@web>
	Tue, 22 Mar 2016 06:45:03 +0000 (02:45 -0400)
committer	admin <admin@branchable.com>
	Tue, 22 Mar 2016 06:45:03 +0000 (02:45 -0400)