20 Feb
2007
20 Feb
'07
5:37 p.m.
Absolutely, the proper solution is to add in to the filtered HTML input filter those tags which are secure and absolutely indispensable.
Very important point.
Victor Kane http://awebfactory.com.ar
On 2/20/07, Heine Deelstra hdeelstra@gmail.com wrote:
Victor Kane wrote:
You must either change the default input filter to full html, or else edit the off-the-shelf default "filtered html" to include the basic tags users create with tinyMCE.
I sometimes wonder why we even bother doing http://drupal.org/security.
Unless you are the only user posting on the site, setting Full HTML as the default input format is both 1) the easy way out and 2) insecure.
- You can simply investigate which tags are needed and add those to the
HTML filter.
- Insecure, because you allow all users to execute cross site scripting
attacks.
Regards,
Heine
[ Drupal support list | http://lists.drupal.org/ ]