[development] html attributes not filtered and the effect of not filtering

Walt Daniels wdlists at gmail.com
Mon Jan 23 17:14:52 UTC 2012

We had the following spam posted as a comment (modified to eliminate bad

<div class="content">
<p>This height should be a beautiful place and the air must be really
<ul id="clean-url" class="install">
<li>Video de femmes avec ... <a href="http://www.example.com">bad site</a>
en vidéo</li>

This is using some css in the standard Drupal css to suppress the
visibility of the bad stuff. Filtered html does not get rid of this. (We
allow Filtered HTML in comments.) The result is that our spam checkers
don't see the spam. Incidentally Mollom did not flag it either although the
words in it, if in English, would probably have flagged it.

The result is that the bad site gets credit in search engines for a link
from another site and almost no one sees or clicks on the link. I think the
cloaking is also forbidden by Google, for instance, and they may penalize
our site.

Walt Daniels
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20120123/73ffb541/attachment.html 

More information about the development mailing list