Re: hyperlinking unique input strings on the fly when displaying in HTML

This WebDNA talk-list message is from

2000

It keeps the original formatting. numero = 31709
interpreted = N
texte = Yes, therein lies the rub. Having to keep a list of malicious HTML is not a useful bit of time spent. I would recommend coming up with somesort of shorthand notation that even the dimmest user could fathom: _link_http://www.mysite.com/bite_me.html_link_as an example. Then you fix up the link as you see fit. I would caution against any kind of list of evil tags, since you will miss oneand regret even walking down that path. Strip anything that looks likeHTML and insert your own HTML around the link is my advice.John PeacockJohn Butler wrote:> > Thank You John!> > Seems to me that with the below kind of solution, the only real hard part would be to have a> comprehensive list of malicious HTML strings. no?> > Even without 4.0's new features (we may need to go mission critical before 4 is debugged) we> can still...> > allow any input (and NOT just conver all < chars), look thru a user's input text and find> 'words' which start with some flag (http:// , or anything else we explicitly tell the user to> use - like ***, or whatever) and then wrap that word (perhaps without the flag) with the> appropriate tag, and then when displaying the entire input, we just looked for> certain potentially malicious strings (like > something like-> [listwords...(list the entire input, delim by spaces)]> [showif [word]^ [convertchars db=custom][word][/convertchars]> [/showif]> [showif [word]^another malicious HTML chunk]> [convertchars db=custom][word][/convertchars]> [/showif]> [showif [word]^another malicious HTML chunk]> [convertchars db=custom][word][/convertchars]> [/showif]> [showif [word]~http://]> [word]> [/showif]> [/listwords]> > This would require having a list of all the malicious HTML we wanted to check for. That seems> to be the hardest part.