> Sarven Capadisli wrote: >> On Sun, 2009-07-26 at 00:58 -0400, Craig Andrews wrote: >>> If we return the content-type as "text/html" instead of >>> "application/xml" >>> or "application/xhtml+xml" webkit works fine, as laconica is now >>> writing >>> valid markup to the DOM. >> >> We could use the HTML_Safe PEAR library or Tidy to clean up what we get >> and set the response mimetype to text/xml. Zach actually tested this, >> but, I can't recall what was the final status. > > HTML_Safe does a pretty good job of converting everything to XHTML. The > trouble is it strips out "potentially dangerous content," including > elements oohembed.com returns for YouTube, Vimeo, and other video sites > -- namely: 'embed' and 'object'. > > Maybe we can hack in an element whitelist. We really should be > filtering the HTML we're getting from these oembed sites. Any > suggestions for other good ways to do that? > Zach I just tried out htmLawed (same idea as tidy or HTML_Safe) and ran into an issue. As you said, these filtering libraries tend to take out 'object' and 'embed.' So I whitelisted those tags. The problem is that 'object' is valid xhtml, but 'embed' is not. So if we whitelist them, the result is not valid xhtml, and we're right back where we started.
oohembed returns <object> and <embed> tags for youtube, but you can express the video as <object> without <embed>, therefore producing valid xhtml. Since oohembed is Free, we can patch it. But, many other oembed supporting sites will still produce invalid xhtml, and we cannot possibly fix them all. I don't think an html filtering solution will work. ~Craig _______________________________________________ Laconica-dev mailing list [email protected] http://mail.laconi.ca/mailman/listinfo/laconica-dev
