I've been loosely following this thread, and have a question now. Isn't one advantage of a bbcode type solution that you can more easily avoid session hijacking vis cross site scripting? If you allow html, then you open the door for people to add eventhandlers. I guess you could always strip them, but it seems like for simple stuff bbcode isn't a bad solution. On 7/11/05, Richard Davey <rich@xxxxxxxxxxxxxxxx> wrote: > Hello Greg, > > Monday, July 11, 2005, 5:06:51 PM, you wrote: > > GD> I wouldn't know, <span> isn't one of the tags I allow. > > If you stick to the plain vanilla HTML tags such as i, b, u, etc then > BBCode is pointless - I agreed on this with you several posts ago. I > don't however use it just for that, I use it to let thousands of kids > add a little sparkle to their messages/profiles with colours, images, > etc -- without them having to have good CSS/HTML knowledge (most of them > could handle a font tag, but that'd break my XHTML Trans). This is the > point I argued all along to which I get "it's not really a security > benefit" (no, it's a user benefit) and it's a "misuse of cpu cycles". > > For people I hold in such high regard, I'm ashamed at the lot of you :) > > GD> I don't bother with perfect tag validation, and I doubt the phpbb > GD> bbcode people do either since they average about 2-3 exploits a > GD> month on Bugtraq. > > Not that I'd let an install of phpBB anywhere near a site I run, they > didn't invent BBCode, and in all fairness to those guys the majority > of their exploits are elsewhere. > > GD> I allow a specific set of safe html tags and I provide a preview > GD> function. Even after that, if the user goofs up I allow a specific > GD> time span in which to edit the post to correct the goof. > > Ditto. I just don't force them to use HTML. > > Best regards, > > Richard Davey > -- > http://www.launchcode.co.uk - PHP Development Services > "I do not fear computers. I fear the lack of them." - Isaac Asimov > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
