On Tue, Jan 12, 2010 at 10:15:32AM +0000, Mike Cardwell wrote:
> On 12/01/2010 06:28, Chip M. wrote:
>
>>> Presently it renders them as plain text. I'm fully aware of the
>>> potential problems with it. Ideally I'd like to be able to render
>>> those parts as HTML, but I need to be 100% sure that I've stripped
>>> out anything dangerous (including embedded remote content by
>>> default) first. It's on the "ToDo List" page.
>>
>> Nice job Mike! :)
>>
>> I wrestled with that same issue when I added direct viewing of HTML
>> content to my offline analysis/FP-pipeline/MassChecks tool.
>>
>> Originally, I was using an ActiveX wrapper around IE, which (of
>> course) made me nervous. I added some VERY simple, crude tag
>> stripping (script, iframe, style), but was never happy with it.
>> I ended up switching to an open source HTML rendering component
>> which :) lacked support for all the scary stuff.
>>
>> Whatever you decide to do, please do post more about it, and q'pla!
>
> I shall. There are a multitude of modules on cpan for fixing up html and
> stripping out tags. I just need to find time to test them. I've got to
> figure out how to "cleanse" the CSS as well. Eg, you can execute
> javascript from CSS with stuff like:
> background:url("javascript:someFunction();")
IMO whatever you do, there will always be some hole to be found. Your only
safe option is to render the HTML into image and display that. It will also
be always consistent and not depend on browser version.
