|
|
Posted by Evert | Rooftop on 07/11/05 21:21
The point is..
If you for example only allow <i><u> and <b> doing this with bbcode
would require extra cpu-cycles to convert [i] to <i>
I don't really agree with this, because I think escaping the html +
replacing bbcode would require less cpu cycles then scanning the string
for invalid html and escaping them.
Maybe someone has the time to benchmark this?
Whatever the outcome will be, I would still prefer <i> over [i] because
I'm a standards guy =)
regards,
Evert
Jonathan Kart wrote:
>I've been loosely following this thread, and have a question now.
>Isn't one advantage of a bbcode type solution that you can more easily
>avoid session hijacking vis cross site scripting? If you allow html,
>then you open the door for people to add eventhandlers. I guess you
>could always strip them, but it seems like for simple stuff bbcode
>isn't a bad solution.
>
>On 7/11/05, Richard Davey <rich@launchcode.co.uk> wrote:
>
>
>>Hello Greg,
>>
>>Monday, July 11, 2005, 5:06:51 PM, you wrote:
>>
>>GD> I wouldn't know, <span> isn't one of the tags I allow.
>>
>>If you stick to the plain vanilla HTML tags such as i, b, u, etc then
>>BBCode is pointless - I agreed on this with you several posts ago. I
>>don't however use it just for that, I use it to let thousands of kids
>>add a little sparkle to their messages/profiles with colours, images,
>>etc -- without them having to have good CSS/HTML knowledge (most of them
>>could handle a font tag, but that'd break my XHTML Trans). This is the
>>point I argued all along to which I get "it's not really a security
>>benefit" (no, it's a user benefit) and it's a "misuse of cpu cycles".
>>
>>For people I hold in such high regard, I'm ashamed at the lot of you :)
>>
>>GD> I don't bother with perfect tag validation, and I doubt the phpbb
>>GD> bbcode people do either since they average about 2-3 exploits a
>>GD> month on Bugtraq.
>>
>>Not that I'd let an install of phpBB anywhere near a site I run, they
>>didn't invent BBCode, and in all fairness to those guys the majority
>>of their exploits are elsewhere.
>>
>>GD> I allow a specific set of safe html tags and I provide a preview
>>GD> function. Even after that, if the user goofs up I allow a specific
>>GD> time span in which to edit the post to correct the goof.
>>
>>Ditto. I just don't force them to use HTML.
>>
>>Best regards,
>>
>>Richard Davey
>>--
>> http://www.launchcode.co.uk - PHP Development Services
>> "I do not fear computers. I fear the lack of them." - Isaac Asimov
>>
>>--
>>PHP General Mailing List (http://www.php.net/)
>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>>
>>
>
>
>
Navigation:
[Reply to this message]
|