On Monday 06 February 2006 18:00, Mathieu Roy wrote: > Le Lundi 6 Février 2006 17:48, Tobias Toedter a écrit : > > This commit just changes indentation and adds a placeholder condition > > around the formatting code. The condition will be modified to be able > > to selectively bypass the markup code when special markup tags are > > encountered (<nowiki>, <pre>, <code>). > > ?? > > what means nowiki, what means pre?
<nowiki> is a tag used by MediaWiki, to disable the wiki formatting. I think
this is something we need, too.
<pre> is just the plain old HTML <pre>, meaning to output the following text
without markup modification.
> And code is way to much restrictive IHMO. Code is meaningless for
> installation that are no software related (and it exists). Verbatim is
> neutral.
Yes, I know that code has a context meaning, but I thought that quite a lot
of projects might make use of it, because the large majority is about
software. If you think that it's not necessary, we can just drop it.
> Also, do we really want to use <tag>? Seems to me that we'll definitely
> get into trouble as soon as someone will post in a comment bits of HTML,
> which is very likely to happen. Our tags should be someone unique enough.
Hm, that brings up another topic I'd like to discuss. Currently, the user
submitted data is stored in the DB as HTML, i.e. with HTML tags being
interpreted. The output of DB items gets no filtering at all, so that HTML
attacks would be possible.
So, our current scheme is this:
input: htmlspecialchars(user input) -> database
output: database -> browser
It would be much cleaner to do it the other way round:
input: user input -> database
output: htmlspecialchars(database) -> browser
We're planning to perform some markup in the cookbook table during the next
upgrade of Savane. Shouldn't we also convert the HTML data into normal text
data?
Cheers,
--
Tobias
Warning: Trespassers will be shot.
Survivors will be shot again.
pgpidstLZzAPb.pgp
Description: PGP signature
_______________________________________________ Savane-dev mailing list [email protected] https://mail.gna.org/listinfo/savane-dev
