From 4f7cd5159f23b4e7c588ebc21f2864921dba4a56 Mon Sep 17 00:00:00 2001 From: Henrik Levkowetz Date: Fri, 9 Mar 2018 18:56:39 +0000 Subject: [PATCH] Updated changelog entry for release 6.75.0. - Legacy-Id: 14759 --- changelog | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/changelog b/changelog index cd993e8fe..f7090cada 100644 --- a/changelog +++ b/changelog @@ -1,6 +1,26 @@ ietfdb (6.75.0) ietf; urgency=medium - **Sanitized HTML uploads** + **Sanitization of HTML uploads** + + During the last few IETF meetings, there have been a few cases of agenda and + minutes uploads that have not worked well, for various reasons. Some have + unintentionally used frames, and failed to include the frame contents; some + have used iframes, which pulls the actual content from elsewhere, which + means it won't actually be saved on the IETF servers and archived. There + has also been issues relating to styling and use of javascript. This shows, + of course, that malicious uploads (even if unintentional) are possible. + + Considering this, it seems that a good and general approach would be to do + what is often called 'sanitization' of uploaded html content. (Uploaded + text and markdown documents won't be affected). + + This release introduces such sanitization. + + The cost of this is that if you upload agendas and minutes in HTML format, + you will need to check the results after upload, to make sure that the + agenda and minutes still captures your intent after the sanitization. + + Additionally, there is, as usual, some other features and bugfixes: * Added sanitization of uploaded html content for session agendas and minutes, and did some refactoring of the upload form classes.