Richard Clarke wrote:
We didn't use compression at eToys. There were two main reasons for this. First, it was still a fairly experimental idea at the time, and I had seen browser compatibility problems when hitting some sites that used it. (I believe these have been fixed since then.) Second, more than half of our content was served from the mod_proxy cache, and I'm not aware of a compression tool that works with that.Before I embark on a day exploring the pros and cons of today's cleaning/compression tools, I wondered if any of you could give me some feedback about your own experiences within the context of medium/large scale web sites/applications (E-Toys etc).
No, the best approach is to not attempt to filter user input at all but escape everything when you display it. Then if a user enters HTML characters they will just show up literally in the output. The only time you can't do it this way is if there are certain HTML characters you want to accept.Is there any advantage to using modules like HTML::Tree or HTML::Parser to remove information (i.e. removing autoexecuting javascript tags and any other CSS issues) from user submitted information.
- Perrin
