|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: whitelisting HTML tags
From: Tim Hollebeek (tholleb
teknowledge.com)
Date: Mon Nov 07 2005 - 13:33:45 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> It seems to me simpler to say [b] becomes <b> than to worry
> if <b> can take an argument.
My point is that it isn't.
You write a parser for SimpleHTML that understands "<b>" but
doesn't understand "<b ...>". If it sees the latter, it will
reject it. Not because you worried about the case, but because
it isn't part of the SimpleHTML language.
Unless the BBHTML -> SimpleHTML translation is complex, the
SimpleHTML parser is no more complex than the BBHTML parser.
Actually, it's less complex since it is just parsing, and not
doing any translating. This saves you from having to be careful
how you put the output together, and making sure it is correct.
It's nicer on the users, too: no need to learn new syntax.
> It's also harder for someone to come along and transform it
> from a whitelist function to a blacklist function without
> properly considering the security implications.
That's a valid point.
-Tim
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]