On 7/18/05, Laurie Harper <[EMAIL PROTECTED]> wrote: > Ed Griebel wrote: > > So it seems like you want to a) render untrusted HTML, and b) render > > secure html. Sounds like the basic requirement is at odds? You could > > do something like slashdot and other BB systems do: restrict the > > amount of valid markup to make your parsing job easier. > > Ultimately, restricting allowed markup helps but doesn't make the hard > cases much easier :-) You're right that (a) and (b) conflict somewhat, > though. But think about something like Google Mail: it needs to be able to > display as much of a user's mail as possible whilst still remaining secure > against XSS attacks.
I would imagine pretty much any blogging software that allows restricted HTML in comments (or pretty much any Wiki software that accepts some HTML for formatting, for that matter) has dealt with this kind of issue. Might be worth spelunking open source versions of those projects for ideas. Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
