In applications that use textile4j to process text from
untrusted users (say, in a guestbook or blog comments),
it's possible to inject JavaScript and create a
cross-site scripting (XSS) attack.
A very simple example of HTML that would cause this to
happen when passed through textile4j is as follows:
<script> alert("XSS Script sample exploit"); </script>
More information on cross-site scripting is available here:
http://en.wikipedia.org/wiki/XSS
http://www.cert.org/tech_tips/malicious_code_mitigation.html
http://www-128.ibm.com/developerworks/tivoli/library/s-csscript/
In order to avoid this sort of attack, textile4j should
have an option that has it escape any HTML passed into
it, instead of attempting to pass it through.
This patch vs. textile4j-1.20 implements a public void
setAllowHtml(boolean) method that allows the user to
specify that HTML should not be allowed. The default is
the previous behavior, that HTML is allowed in
Textile-processed text.
allowHtml patch