html encoding

Apr 4, 2008 at 4:07 PM
Do you plan to add a restricted mode so that it's possible to prevent XSS? Right now this is not possible to HtmlEncode the input of textile since double quotes would prevent hyperlinks to be set ( "title":link). The best way would be to set a RestrictedMode to true and textile would output all regular text as encoded html text.
Thanks
May 20, 2008 at 4:39 PM
Edited May 20, 2008 at 5:31 PM
Good idea.
However, I'm not sure it would be much secure? Textile.Net would still transform or preserve anything that looks like Textile or HTML syntax. The only thing that Textile.Net would do "better" would be to preserve whatever HTML tag it creates itself. This means HTML input could be encoded, but XSS would still be possible through Textile syntax.
May 21, 2008 at 12:48 PM
Well, you just have to ensure that the ouput can not contain a script tag. There is a php textile library that does this (can't remember which one).
May 22, 2008 at 5:55 AM
Okay I'll try to add this with the next release.
Thanks for the feedback!
Jun 22, 2008 at 8:38 PM
seems to me that xss prevention and other security stuff might not be the responsibility of the textile.net component... if you start incorporating all kinds of security features here it might prove bad for cohesion.. however I do agree that the wiki or publishing engine should cover this in the authoring pipeline..