lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Feb 20, 2008, at 10:40 AM, Paul Moore wrote:

So HTML markup is passed through unchanged? Surely that's fairly
insecure? It wouldn't be hard for a hacker to work out some sort of
<script></script> block that would do something nasty...

Hmm... yes... on the other hand... a wiki is under much more scrutiny that your average blog comment... so such nastiness would not last long...

One could disable free form HTML quiet easily:

aText = aText:gsub( '(<.*>)', '`%1`' )

That would escape any HTML automatically... not sure if one would like to put such a restriction though... something to ponder :)