Instead of stripping JavaScript from the input, why not strip it from the output (of the body, not the whole page)?
That would solve this problem and anything similar.
On Tue, 2003-09-16 at 23:02, Brion Vibber wrote:
On Tue, 2003-09-16 at 15:00, Brion Vibber wrote:
On Tue, 2003-09-16 at 14:48, Geoffrey Thomas wrote:
Whoops, sorry again. The page is on test wikipedia: http://test.wikipedia.org/wiki/JavaScript_table_security_hole
Oh, in Magnus's magic table code. Sigh...
{| onMouseOver="alert('hey');" foo 15 |[[Main Page]] |}
I'm deleting the page.
Or rather, I'm not, since it's on the test wiki. Urgh, brain not running on full today.
-- brion vibber (brion @ pobox.com) _______________________________________________ Wikitech-l mailing list Wikitech-l@Wikipedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l