Posted by Greg Donald on 07/11/05 19:06

On 7/11/05, Richard Davey <rich@launchcode.co.uk> wrote:
> u wanted to allow a user to say colour a piece of text red,
> they'd have to enter <span style="color: red">x</span> to make it

I wouldn't know, <span> isn't one of the tags I allow.

> happen? Poor bastards (never mind the fact I'd love to see you use
> less CPU cycles to perfectly validate that tag than say [red][/red]).

I don't bother with perfect tag validation, and I doubt the phpbb
bbcode people do either since they average about 2-3 exploits a month
on Bugtraq.

I allow a specific set of safe html tags and I provide a preview
function. Even after that, if the user goofs up I allow a specific
time span in which to edit the post to correct the goof.


--
Greg Donald
Zend Certified Engineer
MySQL Core Certification
http://destiney.com/

• Next in forum: Re[6]: [PHP] Re: Security, Late Nights and Overall Paranoia
• Prev in forum: Re: [PHP] constructors in PHP
• Thread view: Re: Re[4]: [PHP] Re: Security, Late Nights and Overall Paranoia

[Reply to this message]