Should safe-html setting be part of the skin config group?
(1) By Stephan Beal (stephan) on 2020-08-11 11:22:31 [link] [source]
While patching the help generator to escape
< so that /help?cmd=safe-html works (oh, wow, that's already online - that was fast), it occurred to me that
safe-html is not in the syncable configuration. On the one hand that makes sense because it's potentially security-relevant, but on the other it means that wiki pages, tickets, and/or embedded docs may be somewhat broken when cloned unless the cloner sets that flag to include "w", "t", and/or "b".
It could be argued that
safe-html belongs to
CONFIGSET_SKIN, but i have to assume there's a reason it's not in that group (or any other, for that matter).
(2) By Richard Hipp (drh) on 2020-08-11 12:43:15 in reply to 1 [source]
I'm ok with adding
safe-html to CONFIGSET_SKIN. When an admin does a
"fossil config pull skin", they are trusting the remote repo.