On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber
<bvibber(a)wikimedia.org (mailto:bvibber@wikimedia.org)>
wrote:
On Thu, Jan 29, 2015 at 5:38 PM, Brad Jorsch
(Anomie) <
bjorsch(a)wikimedia.org (mailto:bjorsch@wikimedia.org)
wrote:
> On Thu, Jan 29, 2015 at 2:47 PM, Arlo Breault <abreault(a)wikimedia.org
(mailto:abreault@wikimedia.org)>
wrote:
> >
https://gerrit.wikimedia.org/r/#/c/181519/
>
>
>
> To clarify, the possible solutions seem to be:
>
> 1. Unstrip the marker and then encode the content. This is a security
hole
(T73167)
I'd be inclined to unstrip the marker *and squash HTML to plaintext*,
encode the plaintext...
I don't see how that addresses the security issue.