|Syntactic Confectionery Delight|
Re^5: side effects "Enforce proper nesting of HTML" (security)by tye (Sage)
|on Jun 09, 2017 at 06:57 UTC||Need Help??|
Unapproved mark-up (both HTML tags and HTML attributes) are already always blocked. That takes care of the cross-site scripting security concern.
An enhancement was implemented to go further and better protect site layout from (usually unintentional) inclusion of approved tags in a manner that can interfere with layout beyond the contents of the individual submission. This enhancement goes beyond noting that 'br' tags are approved for inclusion so it also blocks any 'br' tags that are not "properly nested". So you can, for example, include "<br>", "<br></br>", and "<br />" and not have them blocked.
However, with the enhanced validation, including something like "</br>" or "</p>" without a matching, preceding opening tag, will lead to that tag being blocked. Without the enhancement, such constructs are included (which presents absolutely no problem that could be described as "security").
During the trial period where the enhancement is optional to shake out unintended consequences, it was discovered that misplacing the "/" in "<p />" by using "</p>" was such a common mistake that many browsers had decided to interpret the latter as the former.
That was really the only major problem discovered. It frankly should not be particularly difficult to fix that and then make the enhancement no longer optional. I'm even tempted to just make the enhancement no longer optional even without that tweak (except for the impact it would have on previously-posted nodes).
I thought that I had already made the increased validation the default for new users and something that applied to anonymonk. At least the latter appears to not be true or was reverted (perhaps by a bug that allowed anonymonk to sometimes impact those settings).