The current revision doesn't allow you have quotes in the inline css for example the quotes in the following inline css will be converted to entities:
{{#css: .foo { font-family: "Times New Roman"; } }}
Simetrical wrote:
On Thu, Jul 31, 2008 at 4:58 PM, Aran aran@organicdesign.co.nz wrote:
I'm not sure about the exploit side of things, but what I do know is that if you add the htmlspecialchars then it breaks the functionality because it converts quotes etc in the inline CSS into entities, so it really needs to be removed.
Even if the CDATA declaration isn't there?
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l