Jon Stevens escribió:
>
> on 1/30/01 2:19 PM, "Santiago Gala" <[EMAIL PROTECTED]> wrote:
>
> >> A better methodology for this is to simply remove the tags that you don't
> >> know about and keep the ones that you want...this can be done with a regular
> >> expression. I suggest that you do it this way. :-)
> >>
> > One interesting approach could be to remove everything except for
> > "inline" (em, strong, ...) markup, line breaks, paragraphs and lists,
> > something like what Slashdot does in their editor. It is fairly safe, I
> > think.
>
> Uhh....That's what I just said...:-)
Yes. Maybe I was not clear. There were two purposes in my re-statement:
- to give concrete examples just in case somebody picks up the code
(concrete wishlist and hint)
- to stress that I am not bound to disagree with you :)
>
> I also think that this code should be utility code and moved up into
> Turbine.
>
+1. The portlet belongs to Jetspeed. The "cleaner and rinser" utility
classes belong to Turbine.
> > Such code would be useful for allowing some markup in the
> > JetspeedContent weblog.
> >
> > I doubt, nevertheless, that this code could make sense of most
> > editor-made pages out there, filled with tables inside tables with font
> > inside fonts tags :)
>
> The issue is larger than that. Someone with a syndication service could put
> HTML into your portlet that would then be displayed to all users. This is
> known as the Cross Site Scripting Bug...please see the relevant CERT
> advisories regarding this.
>
Giving concrete links, this short document explains and gives tips on
how to "clean" untrusted markup:
http://www.cert.org/tech_tips/malicious_code_mitigation.html/
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/[email protected]/>
List Help?: [EMAIL PROTECTED]
