Chris Shiflett wrote:
> --- "CPT John W. Holmes" <[EMAIL PROTECTED]> wrote:
>> Heh... my turn to disagree again. You can do a simple str_replace()
>> to convert "<b>" back into "<b>", but you're going to have to
>> do it for each case. Also by doing that blindly, you can end up with
>> orphaned tags affecting the rest of your page (making it all bold,
>> for example).
>
> How does bbcode make this easier or even different? It seems
> to me that <b> and [b] are a lot alike; they're both
> specific strings that you want to be converted to <b>. The
> difference is relying on the user to learn a markup language
> specific to your application. With no real benefit in doing
> so, this is an unnecessary complication.
>
> Slash uses regular HTML, and unlike any of our PHP
> equivalents (unfortunately), it is actually a nice CMS that
> isn't plagued with security vulnerabilities. So, my opinion
> isn't unique. Maybe I'm just the only non-Perl guy who thinks this
> way. :-)
>
>> Your turn. :)
>
> Heh. :-) I don't think taking turns will help. We're probably
> both too stubborn to yield our respective positions. This
> isn't a new topic to me, and unless someone can bring up a
> point I haven't considered before, my opinion was made long ago.
>
> Chris
I don't think there is ONE pbest solution in this. It all comes down to what
kind of user you're expecting to use the application and what kind of input
you would want to allow. To what extent those users are 'to be trusted'. And
also what to do with invalid input. The way I see it, in HTML there are four
major groups of tags
1) tags to separate sections (<HTML><BODY><FRAMESET>)
2) tags that go into the header
3) tags to lay the structure of your PAGE (<div><table>)
4) tags harmless for the structure, used for text formatting only
(<b><i><u><font>)
In my experience, web applications that let users input some code only
provide tags from group 4. Just let users markup their own text, but make
sure the general site layout is not influenced. Too wide <TABLE>'s or layers
would push out parts of the webpage's structure, so not wanted. <B> tags are
generally harmless. When you can trust your users to be of good nature, not
WANTING to mess up the page, safe to allow those and strip_tags the rest
ones out.
If you cannot trust the users, and expect them to be wanting to mess up OR
are expecting users without a lot of HTML experience, give them ubb'like
things to mess with. Give them [bold], [green], [quote] and they are as
happy as you are.
Now let's look at allowing <grin> and what to do with entered <table> tags.
A user would want it's <grin> text to be displayed as is, where a user
entering disallowed <TABLE> tags is probably best of with either an ignored
post or just not showing the <TABLE> text. First example: > and < are
GREAT, I love them and do use them a lot. Second example: strip_tags() is my
bitch.
Then you'd have to think about what properties to (dis)allow. When
preg_replace()'ing things like
/(style|class|on[\w]+)=['"]?[^"' ]*['"]? /
To an empty string, you're getting safer and safer.
So .. Turn passes left ;)
Wouter
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
