On 5/21/2010 9:21 AM, Ashley Sheridan wrote:
On Fri, 2010-05-21 at 14:24 +0100, David Otton wrote:

On 20 May 2010 16:51, Al<n...@ridersite.org>  wrote:

I'm not being clear. First pass is thru the blacklist, which effectually
tells hacker to not bother and totally deletes the entry.

If the raw entry gets past the blacklist, it must then only contain my
whitelist tags. e.g., the two examples you cited were caught by the
whitelist parser.

Ah, gotcha. That seems like a much better approach to me. But if the
whitelist's going to stop the submission, then why bother with a
blacklist at all?

I still think you might be better off using BBCode, which is used on
websites just for this very purpose. When any input comes back, you can
remove all the HTML completely and replace the BBCode tags that you
allow. This should guarantee that the only HTML in the text is what you
put there. That way, the only chance someone has to enter malicious code
is to manipulate your replacement algorithm.


I've used BBcode several times in the pass for this reason. But, found I was forever having to add new ones for special situations that could easily be handled with plain old HTML elements. Some of my users have a rudimentary knowledge of html so they can use it. Most just use my proxy tags e.g., a partial list:;

Text Emphasis => <blue>foo</blue>, <bold>foo</bold>, <green>foo</green>,...
Titles and Headers => <blue-title>foo</blue-title>, <blue-subtitle>..
Containers => <container location; width; border>any content</container>
Lists => <list>*foo...*foo</list>
Horiz and Blank Lines, etc. => <black-line>, <blue-line>, <blank-line>,
URL and email Links => <url "www.foo.com">Label</url>; [w/wo http:],
Images => <image position width% relPath>caption</image>;

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to