News list should encode text on the "Home" page

[Jari Häkkinen]

The home page accepts html tags whereas the BASE login page does not. Is it possible to make the login page to accept html markup and display it nicely (=news items in the home view of BASE).

[Nicklas Nordborg]

I think that it is how the news items are displayed in the home page that should be fixed. Input from users should never be displayed in "raw" format since it opens up for various kinds of scripting attacks.

The way the news are displayed on the login page allows a few "safe" HTML tags: <b>, <i>, <ul>, <li>, <ol>, <tt> and <code>. It will also link URLs automatically and create linebreaks (no need to have <p>!)

[Jari Häkkinen]

Replying to nicklas:

I think that it is how the news items are displayed in the home page that should be fixed. Input from users should never be displayed in "raw" format since it opens up for various kinds of scripting attacks.

The way the news are displayed on the login page allows a few "safe" HTML tags: <b>, <i>, <ul>, <li>, <ol>, <tt> and <code>. It will also link URLs automatically and create linebreaks (no need to have <p>!)

I noticed that <p> is needed for nice display in the home view, but the <p> is displayed on the login page. Changing one of the is enough for me but they should behave the same.

[Nicklas Nordborg]

(In [4725]) Fixes #1228: News list should encode text on the "Home" page