From: smcv Date: Tue, 22 Mar 2016 06:45:03 +0000 (-0400) Subject: briefly describe XSS issue X-Git-Tag: 3.20160506~29 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/4cee48b3ea754a28ef325b0ebc74ebe82dcfffd5?ds=sidebyside briefly describe XSS issue --- diff --git a/doc/plugins/contrib/remark.mdwn b/doc/plugins/contrib/remark.mdwn index 20f5b7d7e..8c178321f 100644 --- a/doc/plugins/contrib/remark.mdwn +++ b/doc/plugins/contrib/remark.mdwn @@ -21,10 +21,11 @@ not elegantly). Clicking through to the slides works right, of course. See [[Discussion#inline]]. -## Concern: safety of web-editing +## Problem: safety of web-editing -Even though `remarkpage.tmpl` has no action links, is it still possible -for someone to trick their way into web-editing a slide deck? And if -they do, is that dangerous? +This plugin is not currently safe for wikis where `.remark` pages can be +edited by untrusted users; the [[plugins/htmlscrubber]] is unlikely to be +able to prevent cross-site scripting in this plugin. Make sure only trusted +(administrative) users can create or edit `.remark` pages. See [[Discussion#editing]].