|
1 | 1 | ietfdb (6.75.0) ietf; urgency=medium |
2 | 2 |
|
3 | | - **Sanitized HTML uploads** |
| 3 | + **Sanitization of HTML uploads** |
| 4 | + |
| 5 | + During the last few IETF meetings, there have been a few cases of agenda and |
| 6 | + minutes uploads that have not worked well, for various reasons. Some have |
| 7 | + unintentionally used frames, and failed to include the frame contents; some |
| 8 | + have used iframes, which pulls the actual content from elsewhere, which |
| 9 | + means it won't actually be saved on the IETF servers and archived. There |
| 10 | + has also been issues relating to styling and use of javascript. This shows, |
| 11 | + of course, that malicious uploads (even if unintentional) are possible. |
| 12 | + |
| 13 | + Considering this, it seems that a good and general approach would be to do |
| 14 | + what is often called 'sanitization' of uploaded html content. (Uploaded |
| 15 | + text and markdown documents won't be affected). |
| 16 | + |
| 17 | + This release introduces such sanitization. |
| 18 | + |
| 19 | + The cost of this is that if you upload agendas and minutes in HTML format, |
| 20 | + you will need to check the results after upload, to make sure that the |
| 21 | + agenda and minutes still captures your intent after the sanitization. |
| 22 | + |
| 23 | + Additionally, there is, as usual, some other features and bugfixes: |
4 | 24 |
|
5 | 25 | * Added sanitization of uploaded html content for session agendas and |
6 | 26 | minutes, and did some refactoring of the upload form classes. |
|
0 commit comments