[pLog-svn] today's notes about validation
Reto Hugi
plog at hugi.to
Mon May 26 16:58:30 EDT 2008
Hi Jon
First, thanks for looking seriously at our filtering and validation. I
didn't manage to read all your notes posts, but saw that last mail. I
think we should consider the HTML Purifier Library, too. It's maintained
and actively developed and it's purpose is mainly security related:
http://htmlpurifier.org/
hope that helps!
cheers, reto
On 05/26/2008 10:48 PM, Jon Daley wrote:
>> On Mon, 26 May 2008, Jon Daley wrote:
>>>> addcommentaction uses HttpVars::getRequest() need to look into that
>>>> more. allows html, need to verify the filters are getting rid
>>>> of javascript, etc. I believe they are.
>>> nope. I'll look into more restrictive filtering. Is there any
>>> reason why we would want to allow javascript to be posted in a comment? I
>>> think we currently strip out 'normal' javascript, but with 10 or 20 seconds
>>> of thinking about it, got some javascript to post successfully.
>>
>> Hrm, filtering javascript is really hard. The code we are currently
>> using doesn't work in all situations, and presumably spammers are smart
>> enough to figure it out. There is this code, but since it is a ton bigger
>> than our current code, I am a little wary of adding it. I am surprised there
>> aren't more examples out there of how to strip javascript, but leave HTML. I
>> guess if we used BBcode or similar that would fix it, since we could strip
>> all HTML with the javascript.
>
> Forgot to include the link:
>
> http://phpclasses.waaf.net/browse/file/8941.html
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list