On Apr 3, 2:20 pm, mahemoff <mahem...@gmail.com> wrote: > This is along the lines of what I'd like to see, but as with FND, I'd > much rather avoid the negative term "santize_unless" if possible, and > have it as "sanitize" instead. I have a hard time getting my head > around "sanitize_unless: NONE".
See my response to FND for more on that. > Also, I had in mind the sanitise algorithm would be flexible with a > sensible default, so someone could add a plugin with a more/less > restrictive sanitize() function. Related to that, how do we know what > kind of content this is, for the purpose of sanitisation. I could be > HTML, a stylesheet, or Javascript. (I can imagine even JS being > sanitised at some point using Caja.) Or it could be some other format > for something other than a web doc. Yes, I've been assuming some kind of stack of sanitizers with a reasonable (and simple) default that can be replaced by configuration so some bright bulb could come along and make a santizer that was Awesome™. Knowing what the content is is kind of hard. We can pay attention to the content-type of the request, but that's not going to be safe in the face of someone who is malicious, largely because it is not possible to get browsers to attend to content-type in the responses they get: the person can PUT some HTML as image/png if they like. TiddlyWeb can be as strict as we like about sending the correct content-type but if the browser choose to ignore it and interpret as something else, strangeness can happen. There are libraries out and about that do content-type detection, so I guess there's that. It's hard problem to get truly correct, which is probably why I've been avoiding it thus far. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TiddlyWikiDev" group. To post to this group, send email to TiddlyWikiDev@googlegroups.com To unsubscribe from this group, send email to tiddlywikidev+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/TiddlyWikiDev?hl=en -~----------~----~----~----~------~----~------~--~---