output/url should assume 'value' parameter means "untrusted data"
|Reported by:||ewinslow||Owned by:|
I'd like to see output/url be more secure by default when the 'value' parameter is used to pass in the url (paralleling the other output/* views). 2 specifics:
- Automatically run it through filter_tags to combat XSS.
- Automatically add rel=nofollow to combat spam.
Use of 'href' can then indicate "trusted" content and no filter_tags or rel=nofollow would be added by default.
Change History (13)
comment:10 Changed 2 years ago by cash
- Component changed from Core to UI/UX
- Difficulty set to easy
- Milestone changed from Needs Review to Elgg 1.8.1
comment:11 Changed 20 months ago by Cash Costello
- Resolution set to fixed
- Status changed from new to closed