Re: hyperlinking unique input strings on the fly when displaying in HTML
This WebDNA talk-list message is from 2000
It keeps the original formatting.
numero = 31715
interpreted = N
texte = Then that means the stripping of the HTML would have to happen as the input data was going *in* thedb, as opposed to when I pull it out to display...John Peacock wrote:> Yes, therein lies the rub. Having to keep a list of malicious HTML is> not a useful bit of time spent. I would recommend coming up with some> sort of shorthand notation that even the dimmest user could fathom:>> _link_http://www.mysite.com/bite_me.html_link_>> as an example. Then you fix up the link as you see fit. I would> caution against any kind of list of evil tags, since you will miss one> and regret even walking down that path. Strip anything that looks like> HTML and insert your own HTML around the link is my advice.>> John Peacock>> John Butler wrote:> >> > Thank You John!> >> > Seems to me that with the below kind of solution, the only real hard part would be to have a> > comprehensive list of malicious HTML strings. no?> >> > Even without 4.0's new features (we may need to go mission critical before 4 is debugged) we> > can still...> >> > allow any input (and NOT just conver all < chars), look thru a user's input text and find> > 'words' which start with some flag (http:// , or anything else we explicitly tell the user to> > use - like ***, or whatever) and then wrap that word (perhaps without the flag) with the> > appropriate
tag, and then when displaying the entire input, we just looked for> > certain potentially malicious strings (like >> > something like-> > [listwords...(list the entire input, delim by spaces)]> > [showif [word]^