On 10/29/10 02:28, Coolzy wrote:
what is the best way to sanitize html input by users? let say we have
html editor. and user do something like this
<table border="1" cellspacing="0" cellpadding="0" width="1009"
class="MsoNormalTable"
style="border-collapse: collapse; border: medium none">
suddenly the entire page layout become large because user created
table with width=1009 . how do you folks overcome this?
for that particular case, the simplest thing to do is to enclose the
user html in something like this (which is what Caja does):
<div style="position:relative; overflow:hidden">
...
</div>
another approach is to completely forbid html attributes and css
properties that may break layout. so, any use of 'width' would be
rejected or removed.
another approach is to do a test render and see if the result violates
some constraints (which might not be too hard to do in a browser).
