We have cleaned up much of the post parser in a recent security update which included removing the block of code that attempts to decode hex entities into HTML.
Part of the problem is trying to balance a feature rich application against various browser bugs (of which IE is the worst culprit for rendering what should be considered safe HTML code) and programatically safe code.
Part of the problem is trying to balance a feature rich application against various browser bugs (of which IE is the worst culprit for rendering what should be considered safe HTML code) and programatically safe code.
[ reply ]