on 1/30/01 2:19 PM, "Santiago Gala" <[EMAIL PROTECTED]> wrote:
>> A better methodology for this is to simply remove the tags that you don't
>> know about and keep the ones that you want...this can be done with a regular
>> expression. I suggest that you do it this way. :-)
>>
> One interesting approach could be to remove everything except for
> "inline" (em, strong, ...) markup, line breaks, paragraphs and lists,
> something like what Slashdot does in their editor. It is fairly safe, I
> think.
Uhh....That's what I just said...:-)
I also think that this code should be utility code and moved up into
Turbine.
> Such code would be useful for allowing some markup in the
> JetspeedContent weblog.
>
> I doubt, nevertheless, that this code could make sense of most
> editor-made pages out there, filled with tables inside tables with font
> inside fonts tags :)
The issue is larger than that. Someone with a syndication service could put
HTML into your portlet that would then be displayed to all users. This is
known as the Cross Site Scripting Bug...please see the relevant CERT
advisories regarding this.
-jon
--
Honk if you love peace and quiet.
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/[email protected]/>
List Help?: [EMAIL PROTECTED]
