On 26/04/07, Chris Shiflett <[EMAIL PROTECTED]> wrote:
Dotan Cohen wrote:
> It would be BBcode if anything. It may be the product of the
> lazy, but I feel more secure parsing it than [x]HTML.
BBCode is a pretty useless markup format. If you only want to allow /
interpret a small subset of HTML, you can use a simple approach like this:
http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss
Thanks, Chris, I read that a few times through this week! I'll make
the decision based upon the users: I'll see what they already know.
The truth is, I'll probably not allow either.
If you want to allow a larger subset, or you're just looking for a
packaged solution, try HTML Purifier:
http://htmlpurifier.org/
That is a great package.
Dotan Cohen
http://lyricslist.com/lyrics/artist_albums/136/crosby_bing.html
http://what-is-what.com/what_is/3g.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
