diff options
| author | smcv <smcv@web> | 2016-03-22 02:45:03 -0400 |
|---|---|---|
| committer | admin <admin@branchable.com> | 2016-03-22 02:45:03 -0400 |
| commit | 4cee48b3ea754a28ef325b0ebc74ebe82dcfffd5 (patch) | |
| tree | caa704816db55c3aa90f457a6941be0fe3a73bdf /doc/plugins | |
| parent | 2d1615c340407cd21ba478449ea1444bb46432ca (diff) | |
| download | ikiwiki-4cee48b3ea754a28ef325b0ebc74ebe82dcfffd5.tar ikiwiki-4cee48b3ea754a28ef325b0ebc74ebe82dcfffd5.tar.gz | |
briefly describe XSS issue
Diffstat (limited to 'doc/plugins')
| -rw-r--r-- | doc/plugins/contrib/remark.mdwn | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/doc/plugins/contrib/remark.mdwn b/doc/plugins/contrib/remark.mdwn index 20f5b7d7e..8c178321f 100644 --- a/doc/plugins/contrib/remark.mdwn +++ b/doc/plugins/contrib/remark.mdwn @@ -21,10 +21,11 @@ not elegantly). Clicking through to the slides works right, of course. See [[Discussion#inline]]. -## Concern: safety of web-editing +## Problem: safety of web-editing -Even though `remarkpage.tmpl` has no action links, is it still possible -for someone to trick their way into web-editing a slide deck? And if -they do, is that dangerous? +This plugin is not currently safe for wikis where `.remark` pages can be +edited by untrusted users; the [[plugins/htmlscrubber]] is unlikely to be +able to prevent cross-site scripting in this plugin. Make sure only trusted +(administrative) users can create or edit `.remark` pages. See [[Discussion#editing]]. |