I think whitelist will help with that by sanitizing the input. So you will need to use a combination of tools here to provide the user with an easy way to add markup, and a server side way to untaint the input.
--Dan On Fri, Oct 31, 2008 at 2:39 PM, Ken <[EMAIL PROTECTED]> wrote: > > Hi Dan, > > Well, I'm not sure if that would help. These tools would definitely > make it easier for legitimate users to enter things that would need > HTML markup (like unordered lists or links) but they wouldn't really > help with malicious users would they? Couldn't a malicious user still > just enter whatever harmful markup they wanted? I don't normally see > wysiwyg editors on blog comment forms. Usually, I just see a textarea > and a submit button. I'm curious how they prevent XSS. Do you know? > > Thanks, Ken > > > On Oct 31, 2:29 pm, "Dan Simpson" <[EMAIL PROTECTED]> wrote: > > What about a WYSIWYG ? Thats how wordpress handles it. > > > > FCKEditor and TinyMCE are two popular Javascript based WYSIWYG editors. > > > > --Dan > > > > On Fri, Oct 31, 2008 at 2:21 PM, Ryan Felton <[EMAIL PROTECTED]> > wrote: > > > Assuming you're not using wordpress as your blogging engine: > > >http://wordpress.org/extend/plugins/wp-syntax/screenshots/ > > > I'd say check out the libraryhttp:// > code.google.com/p/syntaxhighlighter/ > > > . > > > > > I've used the white list plugin > > >http://svn.techno-weenie.net/projects/plugins/white_list/ and added > > > table, th, tr, and td tags to it. > > > > > Ryan > > > > > On Oct 31, 2008, at 4:07 PM, Ken Hudson wrote: > > > > > Hi All, > > > I'm working on a new application that will need a blog. The basics for > > > creating a blog are well documented all over the web and are pretty > easy and > > > straightforward. However, most of what you find is very simplistic - > blog > > > entries and comments just consisting of simple text, for example. In > my > > > application, I will need to allow blog posts to have at least some HTML > > > markup (e.g., links, unordered lists, and in particular images). The > same > > > goes for blog comments. Does anyone have any suggestions on how to go > about > > > doing this? RedCloth would appear to be one alternative but my users > aren't > > > going to know Textile and there's no way I can expect them to learn it. > I > > > need to balance my requirements with a healthy concern for cross site > > > scripting (XSS) and I'm unsure how to proceed. I'm very curious how > sites > > > likehttp://www.rubyinside.comaccomplish this. I would greatly > > > appreciate any advice! > > > > > Thanks, Ken > > > --~--~---------~--~----~------------~-------~--~----~ SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby -~----------~----~----~----~------~----~------~--~---
