Tags:
create new tag
, view all tags

The feature of allowing users to enter arbitrary html code adds risks of cross site scripting attacks, and the reason why virtually all wikis don't allow arbitrary HTML is for precisely that reason. The defense used is "twiki is for corporate use, not commercial" make that "not public internet". Which is incredibly weak, but a valid defense to a very limited extent.

The feature of allowing arbitrary html does have benefits. For many twiki users, it is one of the primary reasons for choosing twiki in the first place. "I was a bit afraid that disabling all html would force to invent tons of ugly twiki constructo to replace html. That's the trend I have seen on twiki with no html" (Colas on irc)

However this doesn't mean the risk doesn't exist. What it does mean is that some careful thinking needs to take place about how to lessen the risk without losing the benefits of html.

There are many topics on twiki.org on this issue. Those who know, please reference them here. Better yet, if you have the time, refactor them.

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2005-10-04 - SamHasler
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.