[nycphp-talk] sanitizing user-submitted html

Chris Snyder chris at
Sat May 31 01:16:37 EDT 2003

James Wetterau wrote:

>I think at minimum you need to loop over the resulting output to
>verify that you haven't transformed your input into an output which
>still triggers your conditions for requiring modification.
>One thing you might want to do is add extraneous spaces around things
>you've expunged, which might prevent parts from joining together around
>an expunged piece.  This should generally be ok, because most legitimate
>HTML shouldn't care about whitespaces.
Now I'm getting the picture -- I think the shortcut out of this might be 
to strip all tags if any of the attribute patterns match in the first 
place. It's not worth the CPU cycles to be kind to the one user in a 
million who means no harm with an onmouseover event.

Oh the sanity!

More information about the talk mailing list