[pLog-svn] today's notes about validation

Jon Daley plogworld at jon.limedaley.com
Mon May 26 16:48:56 EDT 2008


> On Mon, 26 May 2008, Jon Daley wrote:
>>>  addcommentaction uses HttpVars::getRequest() need to look into that
>>>          more.  allows html, need to verify the filters are getting rid
>>>          of javascript, etc.  I believe they are.
>> 	nope.  I'll look into more restrictive filtering.  Is there any 
>> reason why we would want to allow javascript to be posted in a comment?  I 
>> think we currently strip out 'normal' javascript, but with 10 or 20 seconds 
>> of thinking about it, got some javascript to post successfully.
>
> 	Hrm, filtering javascript is really hard.  The code we are currently 
> using doesn't work in all situations, and presumably spammers are smart 
> enough to figure it out.  There is this code, but since it is a ton bigger 
> than our current code, I am a little wary of adding it.  I am surprised there 
> aren't more examples out there of how to strip javascript, but leave HTML.  I 
> guess if we used BBcode or similar that would fix it, since we could strip 
> all HTML with the javascript.

Forgot to include the link:

http://phpclasses.waaf.net/browse/file/8941.html



More information about the pLog-svn mailing list