Now that I've finished adding email subscriptions to ikiwiki the only thing blocking me finally making an official release of it is html sanitization.

This is the part I've put off till last because it's the part I hate.

Somehow the web has evolved a backwards security model that wants sites with dynamic content to be responsible for policing that content for things that could cause security issues, instead of just making browsers actually secure so that no possible html can be a security issue. Which is of course absurd, but the various types of potential cross site scripting attacks that users of your wiki will be vulnerable to if it doesn't try to sanitise its html are nothing to laugh at.

So everyone is left having to sanitise any untrusted content that they put up on the web. In my experience, almost everyone does it poorly, I've even found XSS holes in well-designed websites like Advogato. It doesn't help that browser coders are busy adding new features^Wholes to their web browsers, which everyone then has to update their sanitisers to block.

I don't like participating in security arms races, so while I am evaluating various html sanitisers right now, adding html sanitisation to ikiwiki is not a pleasant idea, and I am tempted to punt on it, document the issue, and refer anyone experiencing problems to the authors of their web browsers.

Sigh.