potiuk commented on PR #497: URL: https://github.com/apache/jspwiki/pull/497#issuecomment-4627635538
Thanks @juanpablo-santos — all 14 answers are folded into §14 (and the relevant sections) as *(maintainer)*; resolving the threads now. Captured: anonymous edit/upload + self-registration (with approval workflow) as dev-convenience/operator-restricts; JSPWiki markup default, raw HTML sanitized; the Anonymous/Asserted/Authenticated/Admin taxonomy (asserted ≠ authenticated); **XML-RPC removed on `master`, kept on `master-2.x`**; plugin reachability (any editor invokes any *installed* plugin; default set safe); attachments canonicalized + served-as-attachment; Tika in-model only when enabled; resource line (super-linear render + unbounded plugin recursion = bugs; arbitrary-markup only when the operator enables the flag); CSRF token/`SpamFilter`; salted-hash + default-on throttling; doc at root on master + master-2.x, PMC-owned. @copilot-pull-request-reviewer's notes are addressed: tables now use single-pipe GFM, the model intentionally binds on both `master` + `master-2.x` (so "master" is correct, §1/§14.14), and `[email protected]` is the correct ASF reporting path. One lower-leverage item stays open: which specific default plugins fetch URLs / read files, for a per-plugin SSRF/file-read note (§9). The model is the PMC's to merge whenever — thanks for the thorough review. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
