* Louis-David Mitterrand <[email protected]>
[2010-05-06 13:25]:
> Fortunately HTML::Scrubber allows denying specific attributes
> based on a regexp:
>
> 'href' => qr{^(?!(?:java)?script)}i,
> 'src' => qr{^(?!(?:java)?script)}i,
>
> etc.
Augh, no. You don’t to *forbid* *specific* things, you want to
*permit* only a limited set and block everything else. In the
simplest case that means you want something like this:
qr{ \A [ \t]* https? :// }ix
That will allow simply-written HTTP links and nothing else.
This is possibly also OK, though I haven’t done enough research:
qr{ \A [ \t]* (:? https? :// | / ) }ix
With this, simply-written site-local absolute links are OK in
addition to HTTP links.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
_______________________________________________
Markdown-Discuss mailing list
[email protected]
http://six.pairlist.net/mailman/listinfo/markdown-discuss
