On 7/16/05, Lauri Harpf <svr.tuomas@xxxxxxxxxxx> wrote: > > Well, unless you have set your server up to execute PHP or CGI scripts in > > .html files, which is a very bad idea, the only thing you need to worry > > about is client-side scripting. You could just filter out all > > <script></script> tags if client-side scripting isn't important for your > > application... > > That's one of the problems I have, but it seems a tough nut to crack. If I > leave in the scripts, it opens a possibility of malicious scripts being fed > to a user through the application. > > On the other hand, if I take out the scripts, I will be providing a broken > version of the original page. People are not going to be happy if my "llama > to alpaca"-application has the side effect of deleting all of their scripts. > > I've been thinking of limiting this problem by preventing the direct > displaying of the code (ie. only allowing "Save As.." for the link to the > user-submitted HTML). I guess a bit of JS could prevent accidental > left-clicking on the link. I've also been thinking of passing a special > header for the HTML source code file, "Content-type: > application/octet-stream" to suggest downloading rather than displaying the > contents, but IE seems to just ignore it and display the HTML anyhow. > > - Lauri Harpf > Forgot trying to work around IE. The browser is broken. It is non-standard. It's bugs are not fixed. The more you bang your head against the wall trying to fix what is Microsoft's responsibility to fix, the less reason people will have to switch to a non-broken browser (or OS!). Let them use a standards-compliant web browser. Dotan Cohen http://x-christmas.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
