Re: hyperlinking unique input strings on the fly when displaying in HTML

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 31715
interpreted = N
texte = Then that means the stripping of the HTML would have to happen as the input data was going *in* the db, as opposed to when I pull it out to display...John Peacock wrote:> Yes, therein lies the rub. Having to keep a list of malicious HTML is > not a useful bit of time spent. I would recommend coming up with some > sort of shorthand notation that even the dimmest user could fathom: > > _link_http://www.mysite.com/bite_me.html_link_ > > as an example. Then you fix up the link as you see fit. I would > caution against any kind of list of evil tags, since you will miss one > and regret even walking down that path. Strip anything that looks like > HTML and insert your own HTML around the link is my advice. > > John Peacock > > John Butler wrote: > > > > Thank You John! > > > > Seems to me that with the below kind of solution, the only real hard part would be to have a > > comprehensive list of malicious HTML strings. no? > > > > Even without 4.0's new features (we may need to go mission critical before 4 is debugged) we > > can still... > > > > allow any input (and NOT just conver all < chars), look thru a user's input text and find > > 'words' which start with some flag (http:// , or anything else we explicitly tell the user to > > use - like ***, or whatever) and then wrap that word (perhaps without the flag) with the > > appropriate tag, and then when displaying the entire input, we just looked for > > certain potentially malicious strings (like > > > something like- > > [listwords...(list the entire input, delim by spaces)] > > [showif [word]^ > [convertchars db=custom][word][/convertchars] > > [/showif] > > [showif [word]^another malicious HTML chunk] > > [convertchars db=custom][word][/convertchars] > > [/showif] > > [showif [word]^another malicious HTML chunk] > > [convertchars db=custom][word][/convertchars] > > [/showif] > > [showif [word]~http://] > > [word] > > [/showif] > > [/listwords] > > > > This would require having a list of all the malicious HTML we wanted to check for. That seems > > to be the hardest part.