Brion Vibber wrote:
On Tue, 2003-09-16 at 14:48, Geoffrey Thomas wrote:
Whoops, sorry again. The page is on test wikipedia: http://test.wikipedia.org/wiki/JavaScript_table_security_hole
Oh, in Magnus's magic table code. Sigh...
{| onMouseOver="alert('hey');" foo 15 |[[Main Page]] |}
OK, I hacked a little filter that will remove all parameters from table, td, and th that * start with "on" (no JavaScript) * have no value and are not "nowrap" ("foo" and "15" above)
It is quick'n'dirty, though. Perhaps we should use some code from removeHTMLtags instead?
Magnus