[MojoMojo] Defang issues

Dan Dascalescu ddascalescu at gmail.com
Sat Nov 28 04:05:21 GMT 2009

I've just migrated my wiki to the current GitHub checkout version, and
one of the new features is MojoMojo::Formatter::Defang, a module
included by default, which attempts to prevent XSS by replacing a
number of HTML element attributes with "defang_<attribute>".

To ensure the migration did not affect the content, I generated an
HTML export of the same database using both the old version and the
current one. Then, I processed all HTML with a series of
search&replace rules, and I compared the two exports. It turned out
that numerous wiki pages had been corrupted in various ways by Defang:

* the intra-page links of footnotes and backlinks are broken
* {{YouTube ...}} is broken
* links that contain %[0-9A-F]\2 hex sequences are almost always broken
* other "special" characters in URLs are corrupted

I put up a test page at http://mojomojo.org/test/defang .

As far as I'm concerned, I've removed the Defang formatter, which
avoid all the issues above (the two exports compared identically).


More information about the Mojomojo mailing list