Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Ready to contribute?

Amazing! Sign our contributors' agreement and then join us on GitHub.

Update for critical security issue in PHPMailer included in release Vanilla 2.3.1
Please upgrade to 2.3 here. The 2.2 and earlier branches are no longer being updated.

Major HTMLawed Security Issues



  • The security issue was plugged by Todd's config changes. As long as you don't change the config to allow style/class again, you should be fine. If you use an advanced WYSIWYG editing plugin you'll probably want to consider installing the HTML Purifier plugin.

  • honestly html purifier is over hyerped, there are some use cases, but a forum is not one of them IMO. Possibly collaborative blogging that sort of scale.

    If you are doing an advanced WYSIWYG then presumably you know what you are doing. There is no reason why you couldn't use it with htmlLawed. Just many thing would be stripped out. For instance I use a class whitelist configuration of htmlLawed and use an my own tinyMCE setup, which adds the classes. I'm not worried about styling in feeds in my case. All in-line styles are stripped.

    grep is your friend.

Sign In or Register to comment.