Mon Jan 20 13:54:57 2025 UTC
UPD (Jan 21, 2025): the version 0.3.50 found to be buggy. Please download the version 0.3.51 which is a quick-fix release.
Some brain-damaged webcoding addicts demonstrated me (by submitting
comments with some related crap) the possibility to introduce JavaScript
into user comments using tag attributes appeared in HTML5 such as
onclick, onpageshow etc., and browsers happily
ignore the fact the document they render has nothing to do with HTML5. I
have to admit I didn't realize things like that are possible. Luckily, all
my sites are premoderated, so no visible consequences occured, but it
became obvious for me that tag attributes need to be filtered just like
tags theyselves.
It took several days of work to significantly rewrite the filter (for those
who're courious, it is implemented in the
lib/stfilter/stfhtml.cpp file using an FSM) and add the
appropriate support to Thalassa itself, as well as to the
thalcgi.cgi program. Anyway, Thalassa 0.3.50 is now ready and has just been made available.
There are two user-visible changes:
tag_attributes is added to the
[format ]
section both in the Thalassa main configuration and the
thalcgi.ini file. A kinda-safe default is provided for
its value, and the default value is
a=href img=src img=alt, only allowing to use the
href attribute within the a tag, and
src and alt attributes for the img
tag, if the tags are allowed. All this only affects
headed text files where the
tags flag is found in the format header field
(typically the comments written by users using the web interface). You
only need to worry about all this in case you really wish to allow users
more things to do within their comments, like, e.g., allowing the
style attribute for all tags (think carefully before
you do).thalcgi.cgi configuration, the
%[cmtinfo:attrs]
macro function added.Nothing should (hopefully) break on your site if you move to this new version from the previous one; most users leaving comments simply don't remember about all these tag attributes. However, we strongly recommend to test it before deploying on running sites.