Re: hyperlinking unique input strings on the fly when displaying in HTML

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 31714
interpreted = N
texte = You got it. That is one reason why 4.0 has a [RemoveHTML] tag. For now you can just do it the same thing you are doing now, except test every word for anything like a tag and nuke it. Also test for your _link_ and use middle to grab the link itself and make it into a real HTML link.John PeacockJohn Butler wrote: > > Then that means the stripping of the HTML would have to happen as the input data was going *in* the > db, as opposed to when I pull it out to display... > > John Peacock wrote: > > > Yes, therein lies the rub. Having to keep a list of malicious HTML is > > not a useful bit of time spent. I would recommend coming up with some > > sort of shorthand notation that even the dimmest user could fathom: > > > > _link_http://www.mysite.com/bite_me.html_link_ > > > > as an example. Then you fix up the link as you see fit. I would > > caution against any kind of list of evil tags, since you will miss one > > and regret even walking down that path. Strip anything that looks like > > HTML and insert your own HTML around the link is my advice. > > > > John Peacock > > > > John Butler wrote: > > > > > > Thank You John! > > > > > > Seems to me that with the below kind of solution, the only real hard part would be to have a > > > comprehensive list of malicious HTML strings. no? > > > > > > Even without 4.0's new features (we may need to go mission critical before 4 is debugged) we > > > can still... > > > > > > allow any input (and NOT just conver all < chars), look thru a user's input text and find > > > 'words' which start with some flag (http:// , or anything else we explicitly tell the user to > > > use - like ***, or whatever) and then wrap that word (perhaps without the flag) with the > > > appropriate tag, and then when displaying the entire input, we just looked for > > > certain potentially malicious strings (like > > > > > something like- > > > [listwords...(list the entire input, delim by spaces)] > > > [showif [word]^ > > [convertchars db=custom][word][/convertchars] > > > [/showif] > > > [showif [word]^another malicious HTML chunk] > > > [convertchars db=custom][word][/convertchars] > > > [/showif] > > > [showif [word]^another malicious HTML chunk] > > > [convertchars db=custom][word][/convertchars] > > > [/showif] > > > [showif [word]~http://] > > > [word] > > > [/showif] > > > [/listwords] > > > > > > This would require having a list of all the malicious HTML we wanted to check for. That seems > > > to be the hardest part.