Le Lundi 6 Février 2006 18:31, Tobias Toedter a écrit : > On Monday 06 February 2006 18:00, Mathieu Roy wrote: > > Le Lundi 6 Février 2006 17:48, Tobias Toedter a écrit : > > > This commit just changes indentation and adds a placeholder condition > > > around the formatting code. The condition will be modified to be able > > > to selectively bypass the markup code when special markup tags are > > > encountered (<nowiki>, <pre>, <code>). > > > > ?? > > > > what means nowiki, what means pre? > > <nowiki> is a tag used by MediaWiki, to disable the wiki formatting. I > think this is something we need, too. > > <pre> is just the plain old HTML <pre>, meaning to output the following > text without markup modification. > > > And code is way to much restrictive IHMO. Code is meaningless for > > installation that are no software related (and it exists). Verbatim is > > neutral. > > Yes, I know that code has a context meaning, but I thought that quite a lot > of projects might make use of it, because the large majority is about > software. If you think that it's not necessary, we can just drop it.
What you mention as pre, nowiki and code refers to what I called "verbatim", see the related task comment. Verbatim is a neutral word that exactly means what we mean, pre is un-understandable if you ignore HTML, nowiki is confusing (there's no wiki involved here), code is too specific. > > Also, do we really want to use <tag>? Seems to me that we'll definitely > > get into trouble as soon as someone will post in a comment bits of HTML, > > which is very likely to happen. Our tags should be someone unique enough. > > Hm, that brings up another topic I'd like to discuss. Currently, the user > submitted data is stored in the DB as HTML, i.e. with HTML tags being > interpreted. The output of DB items gets no filtering at all, so that HTML > attacks would be possible. > > So, our current scheme is this: > input: htmlspecialchars(user input) -> database > output: database -> browser > > It would be much cleaner to do it the other way round: > input: user input -> database > output: htmlspecialchars(database) -> browser Do we really convert things to htmlspecialchars before inserting things in the database? I don't remember but that indeed seems awkward. What happen then if we grab the database content to put it in a plain text mail, the plain text get html entities? Weird. Are you sure we don't do the later? > We're planning to perform some markup in the cookbook table during the next > upgrade of Savane. Shouldn't we also convert the HTML data into normal text > data? We should. -- Mathieu Roy +---------------------------------------------------------------------+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +---------------------------------------------------------------------+
