> Well, unless you have set your server up to execute PHP or CGI scripts in > .html files, which is a very bad idea, the only thing you need to worry > about is client-side scripting. You could just filter out all > <script></script> tags if client-side scripting isn't important for your > application... That's one of the problems I have, but it seems a tough nut to crack. If I leave in the scripts, it opens a possibility of malicious scripts being fed to a user through the application. On the other hand, if I take out the scripts, I will be providing a broken version of the original page. People are not going to be happy if my "llama to alpaca"-application has the side effect of deleting all of their scripts. I've been thinking of limiting this problem by preventing the direct displaying of the code (ie. only allowing "Save As.." for the link to the user-submitted HTML). I guess a bit of JS could prevent accidental left-clicking on the link. I've also been thinking of passing a special header for the HTML source code file, "Content-type: application/octet-stream" to suggest downloading rather than displaying the contents, but IE seems to just ignore it and display the HTML anyhow. - Lauri Harpf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
