[nycphp-talk] sanitizing user-submitted html
Chris Snyder
chris at psydeshow.org
Sat May 31 01:16:37 EDT 2003
James Wetterau wrote:
>I think at minimum you need to loop over the resulting output to
>verify that you haven't transformed your input into an output which
>still triggers your conditions for requiring modification.
>
>One thing you might want to do is add extraneous spaces around things
>you've expunged, which might prevent parts from joining together around
>an expunged piece. This should generally be ok, because most legitimate
>HTML shouldn't care about whitespaces.
>
>
Now I'm getting the picture -- I think the shortcut out of this might be
to strip all tags if any of the attribute patterns match in the first
place. It's not worth the CPU cycles to be kind to the one user in a
million who means no harm with an onmouseover event.
Oh the sanity!
More information about the talk
mailing list