Updated 2007-07-30 16:36:55 by colin

Notice anything different about this page title? Hmm?

This is a serious security hole and should be corrected. -FW

12feb03 jcw - Done, thanks.

FW: Well, it was done, but now this page title displays underlined again.

30apr03 jcw - Whoops, I forgot pages that have no refs (it affects the way the title is displayed). Fixed.

30apr03 Jacob Levy - Can someone explain what the problem was? :)

The problem is that allowing HTML tags in the title and body allows anyone to add client-side-scripting commands to a page, allowing for all kinds of horrors on you local harddrive. Although this doesn't seem to cause many problems in practise, it is considered a very large gaping security hole. Almost all browsers have gaping security holes, use your imagination when trying to conceive interesting attacks on machines of popular Tclers.

escargo - If you looked at this page at the right time, you have seen that the title was rendered as underlined text, apparently showing that the HTML in the name was actually getting interpreted. Presumably this indicates a hole that might allow malicious HTML to get executed.

escargo 1 May 2003 - Ooh, ooh! Look at the WikiDiff[1] for this page! The underlining shows up there!

ps 1 May 2003 - Doh! I thought I had fixed that long ago, must have escaped into limbo. Done. Again. Thanks.

DKF 29 July 2007: Current renderer gets this wrong too...

CMcC 31Jul07: Fixed now.