On Jun 16, 12:16 am, mahemoff <[email protected]> wrote: > Thanks for the update Chris. The flexible validation model makes sense > - in the medium-to-long term I would also like to see TiddlyWeb ship > with a default validator that allows for general HTML content, that > does the usual Javascript stripping, matching HTML tags, and so on. > Perhaps one that is easily configurable wrt which tags (and possibly > attributes) it can take. Last I checked, this is a fairly common thing > for sanitisation libraries to offer, so what I'm suggesting is a > validator that is simply an adaptor into an existing sanitisation > library.
Based on poking around on the tinternets, the preferred tool is html5lib which has a subclassable sanitizer built in, so I'll be looking into that. However, its important to keep in mind that in the tiddler situation we've got more than "general HTML content" to consider. Sometime we want to remove systemConfig tags, or reject tiddlers that look like plugins, that sort of thing. And more confusingly we've got input coming in that may be posing as an image (having content type image/png) but not actually being that content. I assume there are some vectors in which someone could deposit a binary tiddler and wreak havoc. Basically things are made more complicated by content being stored on the end of a generic PUT rather than a CGI form submission. These things are not really in my ken, which is part of why I'm making the system easy to extend. I'm hoping that people with a bit more expertise in this area will contribute. I am doing some reading up, however. As an aside: it's my expectation that there will also be loops for validating PUT recipes and bags as well (one area that will need sanitization is recipe and bag descriptions). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TiddlyWikiDev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/TiddlyWikiDev?hl=en -~----------~----~----~----~------~----~------~--~---
