On 26/04/07, Chris Shiflett <shiflett@xxxxxxx> wrote:
Dotan Cohen wrote: > It would be BBcode if anything. It may be the product of the > lazy, but I feel more secure parsing it than [x]HTML. BBCode is a pretty useless markup format. If you only want to allow / interpret a small subset of HTML, you can use a simple approach like this: http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss
Thanks, Chris, I read that a few times through this week! I'll make the decision based upon the users: I'll see what they already know. The truth is, I'll probably not allow either.
If you want to allow a larger subset, or you're just looking for a packaged solution, try HTML Purifier: http://htmlpurifier.org/
That is a great package. Dotan Cohen http://lyricslist.com/lyrics/artist_albums/136/crosby_bing.html http://what-is-what.com/what_is/3g.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
