On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber bvibber@wikimedia.org wrote:
On Thu, Jan 29, 2015 at 5:38 PM, Brad Jorsch (Anomie) < bjorsch@wikimedia.org
wrote:
On Thu, Jan 29, 2015 at 2:47 PM, Arlo Breault abreault@wikimedia.org wrote:
To clarify, the possible solutions seem to be:
- Unstrip the marker and then encode the content. This is a security
hole
(T73167)
I'd be inclined to unstrip the marker *and squash HTML to plaintext*, then encode the plaintext...
I don't see how that addresses the security issue.