solo turn wrote:
do you know a good example which shows this "VERY
dangerous"?
dangerous for whom? if somebody adds a javascript function that
changes the admin password and hopes an admin would click on it?
That's one of many possibilities, yes. For background information,
google up cross-site scripting attacks as well as general browser
vulnerabilities (including among other things ActiveX malware and
various image decoder and other buffer overflows which could be
exploited on unpatched browsers by HTML injection).
Hijacking trusted site permissions to install malware on the client
machine, hijacking sessions to gain admin privileges on the wiki,
installing password sniffers, etc. (Remember that many people use the
same password on many sites.)
we do not need real raw html, just the styles. do you
see any danger
in having the <style> tag enabled?
Internet Explorer executes JavaScript expressions and javascript: URLs
in CSS styles, so you'd want to be careful about filtering these. We do
some checks for that on style attributes in embedded HTML in the wiki.
-- brion vbber (brion @
pobox.com)