[pLog-svn] today's notes about validation
Jon Daley
plogworld at jon.limedaley.com
Mon May 26 16:48:56 EDT 2008
> On Mon, 26 May 2008, Jon Daley wrote:
>>> addcommentaction uses HttpVars::getRequest() need to look into that
>>> more. allows html, need to verify the filters are getting rid
>>> of javascript, etc. I believe they are.
>> nope. I'll look into more restrictive filtering. Is there any
>> reason why we would want to allow javascript to be posted in a comment? I
>> think we currently strip out 'normal' javascript, but with 10 or 20 seconds
>> of thinking about it, got some javascript to post successfully.
>
> Hrm, filtering javascript is really hard. The code we are currently
> using doesn't work in all situations, and presumably spammers are smart
> enough to figure it out. There is this code, but since it is a ton bigger
> than our current code, I am a little wary of adding it. I am surprised there
> aren't more examples out there of how to strip javascript, but leave HTML. I
> guess if we used BBcode or similar that would fix it, since we could strip
> all HTML with the javascript.
Forgot to include the link:
http://phpclasses.waaf.net/browse/file/8941.html
More information about the pLog-svn
mailing list