Joe Gregorio
The only reason users of Aggie didn’t get bit by Mark’s prank is that he put the rogue style attribute in the description element and not the content:encoded element. So Aggie, while is does strip object, meta and script tags, is still vulnerable to this kind of hack. A new version of Aggie will be posted when I have this fixed.
I didn’t think we removed style attributes. Time to do some testing.
Posted by Joe on 2003-06-13
I don’t think that’s true, Joe. The Aggie parser folds content:encoded into description, if it finds any. (I already have the code that does the same for the Sam Ruby/Don Box xhtml tag, it’s just not checked in.) In any case, all such contents is checked for these tags, so I don’t see a reason to make any modifications.
Posted by Ziv Caspi on 2003-06-12