On Jul 12, 2005, at 6:50 AM, Chris Shiflett wrote:
As far as allowing [red] goes, you can just as easily add to
the list of available tags and not have to come up with a
replacement for every other HTML tag that already exists.
but what about the poor bastards that'll go around trying
Evert|Rooftop wrote:
If you for example only allow and doing this with bbcode
would require extra cpu-cycles to convert [i] to
I don't really agree with this, because I think escaping the html +
replacing bbcode would require less cpu cycles then scanning the string
for invalid html and escap
Richard Davey wrote:
I gave several valid good usability reasons, that I've yet to see
anyone provide a coherent reason not to use.
The usability arguments in favor of BBCode are fine. I'm not interested
in that debate. I just don't want more people thinking that allowing
BBCode somehow prote
The point is..
If you for example only allow and doing this with bbcode
would require extra cpu-cycles to convert [i] to
I don't really agree with this, because I think escaping the html +
replacing bbcode would require less cpu cycles then scanning the string
for invalid html and escapin
On Fri, July 8, 2005 11:25 am, Ezra Nugroho said:
>
> Here is one security measure that you HAVE to do if you allow people to
> submit contents to your site.
>
> 1. track client's IP.
> 2. Associate sensitive cookies with the IP, if they don't match, ignore
> it or invalidate the cookie.
>
> We may
Ezra Nugroho wrote:
Here is one security measure that you HAVE to do if you allow people to
submit contents to your site.
1. track client's IP.
2. Associate sensitive cookies with the IP, if they don't match, ignore
it or invalidate the cookie.
If by "HAVE to" you mean "MUST NEVER," then I agr
Greg Donald wrote:
> [i]This text will be in italics.[/i]
> [b]This text will be in bold.[/b]
> [url=http://php.net]This will be a URL that points to php.net.[/url]
While I do not disagree with the information content of your post, I
do think this sort of thing is pretty silly.
If you're gonna
a user, unless you are fine with invalidating users on
> > a frequent basis
> >
> > Michael
> >
> > > -Original Message-
> > > From: Ezra Nugroho [mailto:[EMAIL PROTECTED]
> > > Sent: Friday, July 08, 2005 11:49 AM
> > > To: Michael Caplan
> >
ge-
> > From: Ezra Nugroho [mailto:[EMAIL PROTECTED]
> > Sent: Friday, July 08, 2005 11:49 AM
> > To: Michael Caplan
> > Subject: RE: [PHP] Re: Security, Late Nights and Overall Paranoia
> >
> > True, but it's better than nothing.
> >
> >
On Jul 8, 2005, at 1:25 PM, Ezra Nugroho wrote:
Here is one security measure that you HAVE to do if you allow people to
submit contents to your site.
1. track client's IP.
2. Associate sensitive cookies with the IP, if they don't match, ignore
it or invalidate the cookie.
We may not stop th
Here is one security measure that you HAVE to do if you allow people to
submit contents to your site.
1. track client's IP.
2. Associate sensitive cookies with the IP, if they don't match, ignore
it or invalidate the cookie.
We may not stop the information redirection.
We can make the informati
On Jul 8, 2005, at 12:31 PM, Edward Vermillion wrote:
On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote:
I am just wondering, how could someone craft an html to steal cookies?
If your cookie distribution is done right, I don't think you need to
worry about this.
That's what XSS is all abou
On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote:
I am just wondering, how could someone craft an html to steal cookies?
If your cookie distribution is done right, I don't think you need to
worry about this.
That's what XSS is all about. I don't have the link handy but I do have
a PDF file
I am just wondering, how could someone craft an html to steal cookies?
If your cookie distribution is done right, I don't think you need to
worry about this.
There are a gazillion of sites (CMS-based, wiki-based, etc, including
php.net) that allow users to contribute html. They are not concern a
On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote:
> I am not really bothered about the closing tags (for example )
> I am more bothered about the opening closing tag (for example should be )
> as this can mess up my page...but this cant do squat: [i
> or this: i]
That's where a good preview function
On Jul 8, 2005, at 4:21 AM, <[EMAIL PROTECTED]> wrote:
Personally, I don't think it's a bad idea at all. The best way (and
probably ONLY real way) to achieve decent security would be to limit
the subset of tags the user can post. Best way to achieve this is to
use your own tagging system (e.g.
> > Yep, but this has no way of breaking my html
>
> If [/i] is missing, it'd be the same as being missing.
>
> I can just as easily clean out any missing tags as I can any
> missing [/i] tags.
>
I am not really bothered about the closing tags (for example )
I am more bothered about the ope
On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote:
> Yep, but this has no way of breaking my html
If [/i] is missing, it'd be the same as being missing.
I can just as easily clean out any missing tags as I can any
missing [/i] tags.
--
Greg Donald
Zend Certified Engineer
MySQL Core Certificati
Hey,
> > The problem with this approach is if people dont close their tags
properly
> Nothing makes it impossible for me to hand type and not close one of those
> tags.
>
> [i]blah
Yep, but this has no way of breaking my html
the max you would get is:
[i this will be in italics
which is
On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote:
> The problem with this approach is if people dont close their tags properly
Nothing makes it impossible for me to hand type and not close one of those tags.
[i]blah
--
Greg Donald
Zend Certified Engineer
MySQL Core Certification
http://destiney.com
Hey,
> > The typical way that forums handle this is to use what is called
> > "BBCode". In short, you have a non-HTML way for users to supply
> > [i]This text will be in italics.[/i]
> > [b]This text will be in bold.[/b]
> If you're gonna allow the tag then just allow it. There's no
> p
On 7/8/05, Jason Barnett <[EMAIL PROTECTED]> wrote:
> The typical way that forums handle this is to use what is called
> "BBCode". In short, you have a non-HTML way for users to supply
> information that will produce markup instead of just plain text. So if
> you want to allow italics, bolds, URL
22 matches
Mail list logo
