Forum OpenACS Development: Response to new bboard package

Collapse
Posted by John Mileham on
And a protection for the far more evil variation... getting rid of closing tags that the user didn't open in their post to prevent spoofing other users and other dangerous breaches of trust. But this isn't as easy as it sounds unless we force users to post their HTML in XHTML-compliant form and parse it in nsxml for cleanliness (this has some pretty painful ramifications, including no use of the ampersand w/o using & encoding and the necessity of closing LIs, something I'm not usually that careful about in bboard posts). Otherwise somebody will have to do a some clever regexps to cover pseudo-correct HTML that will work in browsers but isn't actually correct enough to be caught by a naive parser. I 'spose you could also use HTML Tidy to do that... that would probably be a major security win for all uploaded HTML (have the server tidy it before checking it and storing it). Maybe somebody is interested in writing an AOLServer module that ties into HTML Tidy?