Hi! > 2. HTML validation - our current security model relies on the HTML > being generated server-side by a wikitext parser. If we cut wikitext > out of the loop, we'll need some other way of ensuring that people > can't inject arbitrary Javascript/Flash embedding/Java > applet/ActionScript/iframe or any other security horrors.
There are tools like HTML Purifier which are pretty good at it, though performance of those are not stellar, especially on big texts. The Purifier pretty much disassembles it into DOM, validates that, throws out what it doesn't like and reassembles it back. Which is not very fast in PHP, but is pretty strict. Still, there's a chance people could sneak something past it. -- Stas Malyshev [email protected] _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
