Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Watch out for HTML tags' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Watch out for HTML tags
Authored by: stewby on May 28, '04 03:54:57PM

What I've done instead is modified the comment plugin to replace [code]<[/code] and [code]>[/code] with their HTML character entities instead... that's *much* safer. People can do very bad things to your site with the ability to submit arbitrary HTML.

If you want to allow styling, you can set up some simple regex replacements for things like newlines to insert controlled HTML. Not only is it safer, but people posting comments needn't know HTML.



[ Reply to This | # ]
Watch out for HTML tags
Authored by: tinker on May 28, '04 08:03:11PM

I'd be quite happy to do this too -- but note that permitting HTML tags in comments/writebacks is the default with Blosxom, not anything I've added. The problem is that Blosxom treats all comments as pure HTML, so people who write in with multiple paragraphs (separated by control-Ms) are annoyed to see their un-editable comments go up as one big block of text. Just trying to provide a quick fix for that. Altering how the writebacks plugin handles input goes well beyond my range. I agree, though, that it would be a very helpful addition.



[ Reply to This | # ]
Update: Watch out for HTML tags
Authored by: tinker on May 30, '04 11:30:18AM

I tried Fletcher Penney's Writebackplus plugin, available through the Blosxom plugin registry, and it does a wonderful job of stripping out HTML tags. Can also be configured in a straightforward way, i.e., even by me. It has a few nice features as well, for example, adds the time/date to a comment posting. Thanks for the heads-up.



[ Reply to This | # ]