onli

The validator complaining on its own is no problem. But you are saying that users have problems because of this in regular feed readers?

Okay. Just in case: The best place to remove those comments if necessary is probably somewhere in https://github.com/s9y/Serendipity/blob/280a2f1c00a5b9fadb9f01c66b123290e461e634/include/functions_rss.inc.php#L30

Yeah, I'm really surprised about that bug, and it might be related to something not directly involved. I had hoped the smart code is your work :) Well, we will...

That's the thing: If I'm not mistaken it's the exact same url. Just a link to a category. That it's a parent/or child category is just a setting in the...

Hi! Is this about new entries or new comments? I tried to reproduce it and can not: An entry with the title set to `alert(document.domain);` does print that code, but...

Which exact theme? The steps to reproduce do not work for me.

> The "steps to reproduce" add the script tags to the body of a new entry. That does work when previewing Only when previewing? Then it's likely the preview_iframe.tpl of...

Oh, okay. I completely misread the instructions then. Yes, then this works as intended. In scenarios where not all editors are trustworthy the xsstrust plugin is the solution here.

> If either of you would like me to demonstrate these payloads over Discord, We can do that, but if it's really about JS in the body this is just...

It looks to me like that variable is a leftover from way back then. It is given to Smarty's security_settings, which I only see in two places: 1) in **include/serendipity_smart_class.inc.php**:...