RE: Safe HTML display of user-entered text

I'm going through old emails I hadn't read, sorry it's taken so long to respond. > On Thu, 3 Mar 2005 16:07:05 -0500, Mike Chabot > <[EMAIL PROTECTED]> wrote: > > I am saying that if the user tries to enter tags to make text > > bold, he is going to be disappointed because the HtmlEditFormat tag

Re: Safe HTML display of user-entered text

The two ways I've handled this in the past: #1 - use BBML. CFMBB (www.cfmbb.org) includes a parseBBML udf that I converted from a custom tag written by the dude who runs the depressed press. The nice thing about the BBML parser is that it someone uses a [b] but not [/b], then the opening bold

Re: Safe HTML display of user-entered text

Another to this problem is to use a non-HTML markup languages like BBML or something. Then there's no posibility for evil, but you do need a BBML parser (though I know at least one CFML implementation exists). Another route would be to explicitly allow stuff you DO want, rather than denying ever

RE: Safe HTML display of user-entered text

I'm going through old emails I hadn't read, sorry it's taken so long to respond. > On Thu, 3 Mar 2005 16:07:05 -0500, Mike Chabot > <[EMAIL PROTECTED]> wrote: > > I am saying that if the user tries to enter tags to make text > > bold, he is going to be disappointed because the HtmlEditFormat tag

Re: Safe HTML display of user-entered text

On Thu, 3 Mar 2005 16:07:05 -0500, Mike Chabot <[EMAIL PROTECTED]> wrote: > I am saying that if the user tries to enter tags to make text > bold, he is going to be disappointed because the HtmlEditFormat tag > basically wipes out all HTML. > > If I wanted to allow limited HTML, I would have to sc

Re: Safe HTML display of user-entered text

If you want the user to enter basic formatting commands, you can adopt the aproach many discussion boards use... tell the user to use you "special tags" [b] [/b] for bold etc. You define the tags...they use themwhen you display the data later you parse out those tags and replace with valid

Re: Safe HTML display of user-entered text

I am saying that if the user tries to enter tags to make text bold, he is going to be disappointed because the HtmlEditFormat tag basically wipes out all HTML. If I wanted to allow limited HTML, I would have to scan the string for all potentially dangerous tags, which I belive would be less effic

Re: Safe HTML display of user-entered text

> This code assumes the user is not allowed to enter HTML markup in the > text fields. By this you mean that the submitted data is checked for HTML content via another means? Because the way you said it (the form field itself prevents HTML from being entered) isn't secure. cheers, barneyb On Th