|
|
Posted by John Dunlop on 08/20/06 13:03
Ambush Commander:
> In a way, both. I can't be completely standards compliant, because
> technically that would mean I'd let XSS through. What I can do is,
> while disallowing XSS, ensure that any output the filter gives won't
> break a XHTML 1.0 Transitional page's validation at the W3C validator.
> This is no easy task, especially since the spec doesn't get everything
> right (for example SGML exclusions). Currently, the only thing that's
> bothering the filter are control characters and non-SGML allowed
> codepoints: anything else you throw at it will be turned into something
> that will validate.
I don't mean to sound rude, but what is this 'something'? How do you
know when you come across an error what was originally meant? Do you
flag the error and ask the user what they meant?
> As in valid, people use deprecated elements and attributes like <font>
> and <center> all the time. The filter converts these into their proper
> representations (<span style=""> and <div style="text-align:center;">)
> So it can be quite smart about that sort of thing (it also does
> automatic <p> tag closings, etc). Kind of like Tidy, the only thing is
> that Tidy doesn't guarantee validation. We do.
I don't believe there is any program today that can check conformance
to the HTML spec. Machines have no understanding of the prose of the
spec. Your program, from what I gather, checks validity and a
selection of other criteria that you have chosen: a linter with built
in validator.
--
Jock
Navigation:
[Reply to this message]
|