[pLog-svn] ugh. r6488 breaks our good old friends <, >, < in post text
Jon Daley
plogworld at jon.limedaley.com
Sat Feb 21 20:07:44 EST 2009
I had an idea about this. What do people think about having a
checkbox for plain text vs. HTML when commenting? Then, if the person
chooses (the default) plain-text, then the filtering is easy, because we
can run html_entities() or whatever on everything.
And then how stuff currently works would happen when the HTML box
is checked.
I was also wondering about not doing HTML at all, but forcing a
bbcode or something other pseudo-HTML like that.
On Tue, 17 Feb 2009, Jon Daley wrote:
> No answer? I'll just keep coding then.
>
> I'm having trouble with allowing HTML and a '<' in a comment. I am not sure
> how to get the bad-code-filtering and the XHTML checker to allow it. Right
> now, '<' and '>' are removed, since they are bad HTML. If we didn't allow
> HTML, but instead used a bbcode-variant, that would fix it, that then I could
> escape all HTML.
>
> On Fri, 13 Feb 2009, Jon Daley wrote:
>
>> I just noticed that due to the htmlDecode call in filterJavascript
>> for the postText, it (now, as of rev. 6488) converts < to < (in order to
>> catch the tricky javascript coders) and then the < is removed by the
>> xhtmlize() call later.
>> I first thought I could put a htmlentities() or htmlspecialchars() at
>> the end of filterJavascript(), but that causes all html entities to be
>> saved as non-html, ie. all < are converted to <
>> Maybe we do need to switchover to a new filter?
>>
>> And, please check out the following bug, which is likely the same issue as
>> what I just found. I see that no one has been testing 1.2.9? Are you all
>> still using insecure versions of LT (ie. 1.2.8 or 2.0?)
>>
>> http://bugs.lifetype.net/view.php?id=1579
>>
>>
>>
>>
>
>
--
Jon Daley
http://jon.limedaley.com
~~
(Sung to the tune of
yellow submarine)
We all live in room 5419,
room 5419, room 5419
-- Mike Schuresko (presumably referring to 15-127 students)
More information about the pLog-svn
mailing list