View Single Post
Old 02-04-2012, 09:03 AM   #255
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 741
Karma: 2345678
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
@ixtab, please, don't include Pillow and WAF resources to your [automatically built] snapshots yet!!

(However, localization bundles built for testing purposes with manual checking of translated Pillow/WAF resources before building are OK.)

Pillow and WAF strings are used in HTML. They are possible source of XSS and I've overlooked this fact. I must implement some solution to filter these strings and leave only allowed HTML tags (so far, I've found two such tags in original JS files: <br> and <p>).

Also I've missed WAF's browser/readability/messages.js in extraction process. There is <a> tag in this file with embedded JavaScript as onClick handler. This embedded JavaScript probably should go into metadata...
eureka is offline   Reply With Quote