Can I take a simpler approach like this: 1- use javascript regular expression to detect if the user input string has a dangerous tag 2- if there is any forbiden tag then I'd just use the gadgets.util.escapeString before displaying the content 3- if the string is clean I'd allow the content to be displayed without escaping it.
Do you think this is safe enough? Regards, Guilherme On 26 set, 17:54, Jason <[EMAIL PROTECTED]> wrote: > Wikis generally get around this by introducing a special syntax, e.g. > wikis onhttp://code.google.com, which use the syntax > athttp://code.google.com/p/support/wiki/WikiSyntax. The correct > substitutions are made before the page is rendered, transforming > *bold* into <b>bold</b> for example. > > If you don't want to emulate this model, you'll have to be very > careful. You can unescape the output to get the raw HTML but you must > filter out tags that you don't want in your descriptions such as > <script>, <iframe>, <applet>, and so on. This is more difficult than > it sounds, so I advise you go with the first approach. > > - Jason > > On Sep 25, 12:21 pm, guifiche <[EMAIL PROTECTED]> wrote: > > > Hi, > > > I'd like to allow the app users to type a product description using > > HTML. > > Currently I'm storing variables in a JSON string and accordingly to > > the Orkut guidelines I must escape the string before displaying the > > data. This causes the HTML to be displayed as code snippet. > > > When I don't escape the string I can get HTML displayed, but it is not > > allowed because it may allow execution of javascript entered by the > > user. > > > How can I achieve this functionality and still adhere Orkut > > guidelines? > > Any one has a code sample to do this? > > > Regards, > > Guilherme --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Orkut Developer Forum" group. To post to this group, send email to opensocial-orkut@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-orkut?hl=en -~----------~----~----~----~------~----~------~--~---