> Are they? The safest thing is certainly to block anything we don't > understand.
True, ideally we should be using something like JTidy to parse the HTML to XML, then filter it, then spit it out to the browser. The JTidy jar is 142k, but this will slow things down. Additionally, I think JTidy relies on the XML stuff in post-1.1 versions of Java. Basically, to be 100% safe, any given piece of HTML should be assumed *insecure* unless we can affirm that it isn't. Easier said than done though. Ian. -- Ian Clarke ian@[freenetproject.org|locut.us|cematics.com] Latest Project http://cematics.com/kanzi Personal Homepage http://locut.us/ _______________________________________________ devl mailing list devl at freenetproject.org http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl
