Posted by Chris Shiflett on 07/12/05 16:56

Evert|Rooftop wrote:
> If you for example only allow <i><u> and <b> doing this with bbcode
> would require extra cpu-cycles to convert [i] to <i>
>
> I don't really agree with this, because I think escaping the html +
> replacing bbcode would require less cpu cycles then scanning the string
> for invalid html and escaping them.
>
> Maybe someone has the time to benchmark this?

Performance aside, that's a dangerous way of allowing a restricted set
of HTML. You want to escape the entire string. The only difference is
that you can convert some HTML entities back to their original form if
you want to allow them to be interpreted.

In other words, these approaches are almost identical, which is why
BBCode has very little value.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

• Next in forum: Using SAML in PHP
• Prev in forum: Session problems
• Thread view: Re: [PHP] Re: Security, Late Nights and Overall Paranoia

[Reply to this message]