Ben Nadel wrote: > > So, are you saying that the attribute value IS going to be an issue, or > it is not? Sorry, I was just a bit confused if you needed any more > ideas?
If your goal is ONLY to prevent unwanted HTML, then it's not an issue - neither is the comment thing, for that matter. If you absolutely desire clean removal of HTML, then quoted attributes with > chars in them will actually cause some leftover, unwanted text.. but it won't leave any unwanted html tags. Take the following: <input type="text" name="foo" value="<embed ..>"> In a perfect world, the entire thing would be removed. However, my tag would leave "> ... not dangerous HTML or anything but not the desired output. But since my only goal is to allow only certain HTML or to strip "dangerous" html... it works fabulously. If you were stripping HTML from a blog comment for the purpose of emailing a text only version of that comment to subscribers, you might be left with a few extra characters, like in the case above. Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:261993 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
