Fossil Forum

Should safe-html setting be part of the skin config group?
Login

Should safe-html setting be part of the skin config group?

Should safe-html setting be part of the skin config group?

(1) By Stephan Beal (stephan) on 2020-08-11 11:22:31 [link] [source]

While patching the help generator to escape < so that /help?cmd=safe-html works (oh, wow, that's already online - that was fast), it occurred to me that safe-html is not in the syncable configuration. On the one hand that makes sense because it's potentially security-relevant, but on the other it means that wiki pages, tickets, and/or embedded docs may be somewhat broken when cloned unless the cloner sets that flag to include "w", "t", and/or "b".

It could be argued that safe-html belongs to CONFIGSET_SKIN, but i have to assume there's a reason it's not in that group (or any other, for that matter).

:-?

(2) By Richard Hipp (drh) on 2020-08-11 12:43:15 in reply to 1 [source]

I'm ok with adding safe-html to CONFIGSET_SKIN. When an admin does a "fossil config pull skin", they are trusting the remote repo.