nope, <a> is a valid tag and hence not removed. We *could* potentially do a tag + attribute filtering, but that's rather more expensive then a simple strip_tags, and might also be container specific (the doc don't clarify much on what should and shouldn't be stripped anyhow).
So for now i'd be happy to punt it as 'container sanitazion business" unless anyone has some strong different opinions On Thu, Nov 20, 2008 at 6:48 PM, Ropu <[EMAIL PROTECTED]> wrote: > hmm, this patch will also remove > this: > > <a href="javascript:alert()"> > > ? > > or that should be a container sanitization business? > > ropu > > On Wed, Nov 19, 2008 at 12:32 AM, <[EMAIL PROTECTED]> wrote: > > > Author: chabotc > > Date: Wed Nov 19 02:32:04 2008 > > New Revision: 718927 > > > > URL: http://svn.apache.org/viewvc?rev=718927&view=rev > > Log: > > SHINDIG-544 - strip any non-allowed tags > > > > Modified: > > incubator/shindig/trunk/php/src/social/model/Activity.php > > > > Modified: incubator/shindig/trunk/php/src/social/model/Activity.php > > URL: > > > http://svn.apache.org/viewvc/incubator/shindig/trunk/php/src/social/model/Activity.php?rev=718927&r1=718926&r2=718927&view=diff > > > > > ============================================================================== > > --- incubator/shindig/trunk/php/src/social/model/Activity.php (original) > > +++ incubator/shindig/trunk/php/src/social/model/Activity.php Wed Nov 19 > > 02:32:04 2008 > > @@ -1,4 +1,5 @@ > > <?php > > + > > /* > > * Licensed to the Apache Software Foundation (ASF) under one > > * or more contributor license agreements. See the NOTICE file > > @@ -183,7 +184,7 @@ > > > > public function setTitle($title) > > { > > - $this->title = $title; > > + $this->title = strip_tags($title, > '<b><i><a><span><img>'); > > } > > > > public function getTitleId() > > @@ -215,4 +216,5 @@ > > { > > $this->userId = $userId; > > } > > + > > } > > > > > > > > > -- > .-. --- .--. ..- > R o p u >
