by
KK » Sat Dec 29, 2012 6:05 am
@cheesypoof
The 'whitelist' of supported HTML4 tags in Couch is:
'img', 'div', 'span', 'a', 'p', 'blockquote', 'code', 'address', 'cite',
'ul', 'ol', 'li', 'dd', 'dl', 'dt',
'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'table', 'caption', 'col', 'colgroup', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr',
'br', 'hr', 'pre', 'b', 'u', 'i', 'strong', 'big', 'small', 'em', 'sub', 'sup',
'center', 'font', 'strike', 'del', 'abbr', 'dfn', 'samp'
As you can see, all the tags are purely 'structural' in function.
Tags like 'embed', 'script' etc. have been omitted because of their vulnerable nature that could expose them to XSS exploits.
The very concept of using a whitelist is to allow innocuous tags only.
When I see the list of new tags you pointed to, there are several that don't seem to fit the bill.
I think I'll have to study further how security experts are rating them.
Any help in singling out the 'structural' tags only is welcome.