Frode Børli wrote:
Yeah, I thought about that also. Then we have more complex attributes
such as style='font-family: expression#40;a+5#41;;'... So your
sanitizer must also parse CSS properly - including unescaping
entities.
The way HTML Purifier handles this is unescaping all entities (hex,
A bank sporting a site with a form encouraging the customer to enter
arbitrary HTML code would be perceived innovative indeed, albeit in the
Monty-Pythonic sense. I can envision the logo: The First Alternative
Reality Bank. Hopefully, all its accounts would be run in lindendollars...
And no
It is not customary for desktop applications to change the window title in
response to current state of the document it displays. A Web browser is a
desktop application and it should not exhibit such behavior either. The
place to store information about the latest user action is the Edit menu,
Yes, lets all go back to Word Perfect for DOS and hinder innovation.
Besides, this is not the proper arena for this discussion:)
2008/7/26 Kristof Zelechovski [EMAIL PROTECTED]:
A bank sporting a site with a form encouraging the customer to enter
arbitrary HTML code would be perceived
