[pLog-svn] today's notes about validation
Jon Daley
plogworld at jon.limedaley.com
Mon May 26 16:46:28 EDT 2008
On Mon, 26 May 2008, Jon Daley wrote:
>> addcommentaction uses HttpVars::getRequest() need to look into that
>> more. allows html, need to verify the filters are getting rid
>> of javascript, etc. I believe they are.
> nope. I'll look into more restrictive filtering. Is there any
> reason why we would want to allow javascript to be posted in a comment? I
> think we currently strip out 'normal' javascript, but with 10 or 20 seconds
> of thinking about it, got some javascript to post successfully.
Hrm, filtering javascript is really hard. The code we are
currently using doesn't work in all situations, and presumably spammers
are smart enough to figure it out. There is this code, but since it is a
ton bigger than our current code, I am a little wary of adding it. I am
surprised there aren't more examples out there of how to strip javascript,
but leave HTML. I guess if we used BBcode or similar that would fix it,
since we could strip all HTML with the javascript.
More information about the pLog-svn
mailing list