[buddypress-trac] [BuddyPress Trac] #7948: HTML sanitization for user-generated content in notification emails
buddypress-trac
noreply at wordpress.org
Tue Oct 9 18:43:45 UTC 2018
#7948: HTML sanitization for user-generated content in notification emails
--------------------------+----------------------------------
Reporter: boonebgorges | Owner: DJPaul
Type: enhancement | Status: new
Priority: normal | Milestone: Under Consideration
Component: Emails | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion |
--------------------------+----------------------------------
Comment (by boonebgorges):
Thanks for the thoughts, Paul.
Regarding a limited set of HTML elements, BP's default is a combination of
WP's default `$allowedtags`
https://core.trac.wordpress.org/browser/tags/4.9.8/src/wp-
includes/kses.php#L418 plus a handful of others
https://buddypress.trac.wordpress.org/browser/tags/3.2.0/src/bp-core/bp-
core-functions.php#L3812 I think we probably want to be more conservative
than this, disallowing the following from that combined list:
- `span`
- `blockquote`
- `cite`
- `q`
The rest are inline entities that should either be supported by, or
ignored by, email clients. Does that seem like a sensible place to start?
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7948#comment:2>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list