DarkUnderlord said:Nope, OSK is actually right when he says it's a security risk.
DriacKin said:Instead of actually fixing the problem, DU just decided to ban html.
OldSkoolKamikaze said:DriacKin said:Instead of actually fixing the problem, DU just decided to ban html.
This really isn't a problem you can fix. I'm pretty sure you can execute javascript from every HTML tag. You can try to sanitize the HTML, but that's no small feat. You'd either have to make the HTML extremely restrictive (at which point you may as well just be using BBCode) or attempt to catch every possible scenario where someone may try to sneak in some unwanted code.
Here's a nice big list of some ways you might be able to bypass filtering: http://ha.ckers.org/xss2.html
Completely disallowing HTML is really the only safe way to go. Things most people want to do with HTML can be replicated in BBCode anyway.
DriacKin said:OldSkoolKamikaze said:DriacKin said:Instead of actually fixing the problem, DU just decided to ban html.
This really isn't a problem you can fix. I'm pretty sure you can execute javascript from every HTML tag. You can try to sanitize the HTML, but that's no small feat. You'd either have to make the HTML extremely restrictive (at which point you may as well just be using BBCode) or attempt to catch every possible scenario where someone may try to sneak in some unwanted code.
Here's a nice big list of some ways you might be able to bypass filtering: http://ha.ckers.org/xss2.html
Completely disallowing HTML is really the only safe way to go. Things most people want to do with HTML can be replicated in BBCode anyway.
I'd be somewhat surprised if there weren't already existing solutions that account for all this crap. Seems like something that'd be pretty useful...
There is. It's called BBCode.DriacKin said:I'd be somewhat surprised if there weren't already existing solutions that account for all this crap. Seems like something that'd be pretty useful...