Forum OpenACS Q&A: Re: Issue with Xowiki, admins and richtext validation

Collapse
2: Re: Issue with Xowiki, admins and richtext validation (response to 1)
Posted by Emmanuelle Raffenne on 07/30/09 01:13 PM
site-wide admins can post anything they want at the wiki, which might be a good idea, but also at the forums and any other page that use a richtext widget. IMO, that's *not* a good idea at all.

Thanks for catching this. I'll remove that code from my local while a decision is made for core.

Collapse
3: Re: Issue with Xowiki, admins and richtext validation (response to 2)
Posted by Emmanuelle Raffenne on 07/30/09 01:17 PM
where "site-wide admins" must read "site-wide *and* package admins".
Collapse
4: Re: Issue with Xowiki, admins and richtext validation (response to 2)
Posted by Michael Steigman on 07/31/09 07:10 PM
Yeah. I don't even think it's a good idea in the wiki. Actually, it's a pretty bad idea, as we're finding out here. Applications that need different behavior from their richtext widgets should probably be forced to write their own. The core widget should not bypass security checks.