briefly describe XSS issue

2016-03-22 02:45:03 -04:00 · 2016-03-22 02:45:03 -04:00 · 4cee48b3ea
parent 2d1615c340
commit 4cee48b3ea
1 changed files with 5 additions and 4 deletions
--- a/doc/plugins/contrib/remark.mdwn
+++ b/doc/plugins/contrib/remark.mdwn
@ -21,10 +21,11 @@ not elegantly). Clicking through to the slides works right, of course.

 See [[Discussion#inline]].

-## Concern: safety of web-editing
+## Problem: safety of web-editing

-Even though `remarkpage.tmpl` has no action links, is it still possible
-for someone to trick their way into web-editing a slide deck? And if
-they do, is that dangerous?
+This plugin is not currently safe for wikis where `.remark` pages can be
+edited by untrusted users; the [[plugins/htmlscrubber]] is unlikely to be
+able to prevent cross-site scripting in this plugin. Make sure only trusted
+(administrative) users can create or edit `.remark` pages.

 See [[Discussion#editing]].