New HTML filtering code

Reply Subscribe

Thread Tools

Search this Thread

May 22, 2001 | 02:12 PM

Johannes Erdfelt

Thread Starter

Member

Joined: Mar 2000

Posts: 3,401

Likes: 0

New HTML filtering code

I've implemented some new HTML filtering code. It's active on the forums now and you may have seen some subtle changes.

It is a bit more pedantic about correct HTML. It'll rebuild all HTML tags in your message now to make sure the tag is correct and not allow anything we don't want into it. You may see things like border=0 turned into border="0".

Also, it validates all URL's where applicable. This means no more javascript.

It may also reorder the attributes while rebuilding the tag. This is just a quirk of the algorithm I implemented. It's harmless.

If for some reason the code doesn't like your HTML tags, or you just casually use < and > in your message, it will convert the brackets into the appropriate SGML entities, instead of ignoring them or stripping them out like before.

I've done some extensive testing of the code and it seems to be working correctly in all cases now. If you see anything weird, please follow up.

I'll be scrubbing all of the existing messages and all of the existing signatures soon. I've been testing my code on the existing signatures and have found hundreds of mistakes people have made. Be forewarned that your signature may break soon if you have invalid HTML.

May 23, 2001 | 12:16 PM

muhammadc

Junior Member

Joined: May 2000

Posts: 1,983

Likes: 0

What exactly is allowed?

For example, a font size in your signature can't be changed (although it could at one time) ... are there specific codes you do and do not allow? Seems like images and links, and just simple text code works, but once you get beyond that it doesn't.

May 23, 2001 | 10:00 PM

Johannes Erdfelt

Thread Starter

Member

Joined: Mar 2000

Posts: 3,401

Likes: 0

Here's the exhaustive list:

<a href="" target=""></a>
<img src="" border="" alt="">




<tt></tt>
<big></big>


We check href and src for a valid URL, target can only be a couple of common ones (_top, _new, etc) and border can only be a number.

Any suggestions for more? The new code can control attributes much better now. I'm thinking maybe <pre></pre>?

The only thing is it can't handle forcing of nesting of tags (ie tables) correctly. It'll handle arbitrary nested tags, just won't force a specific ordering.

May 24, 2001 | 11:46 AM

hwj

AudiWorld Super User

Joined: Mar 2000

Posts: 17,068

Likes: 0

From: San Jose, CA

What about...

Hey, Johannes. Can you please allow the <tt>width</tt> and <tt>height</tt> attributes for <tt>img</tt> tags? I've always used them in the past when I post pics, as it will cause most people's browsers to lay out the page much quicker when it knows how big the image placeholder needs to be before it even starts loading the image file.

May 24, 2001 | 01:27 PM

Johannes Erdfelt

Thread Starter

Member

Joined: Mar 2000

Posts: 3,401

Likes: 0

I was hesitant to allow height and width tags because people might abuse them

How about I put a restriction on them? Max of 1280 by 1024?

May 24, 2001 | 02:20 PM

hwj

AudiWorld Super User

Joined: Mar 2000

Posts: 17,068

Likes: 0

From: San Jose, CA

Hmm.

Do you really think people would abuse them? Are you mostly concerned with the newbie-type who likes to post a dozen image links to 1600x1200 images and then setting the width and height in the tag to 160x120? ("Look, everybody! I made thumbnails!" NOT.)