Antville Project

hns, September 3, 2001 at 8:11:05 PM CEST

Allowed HTML tags and forbidden ones

Kris mentioned a while back that some HTML tags should be allowed in stories and comments while others should be forbidden. I'm watching into this now. Can anybody give me a more or less complete list of what tags should be allowed and what not?

comment    

 
kris, September 3, 2001 at 8:52:11 PM CEST

how about leaving it to the admin

i think it depends on the intention of the site. if you have a completely open site where everyone can contribute you may want to allow nothing but "b", "i", "emph", "a href", "blockquote" and maybe lists. on the other hand, if you have responsible contributors, you may allow everything.

some tags are definitely evil, like "script", "iframe", "embed" and "img" (you can disguise html with included javacript as image, because ie doesn't care about mime settings. it treats this like html). other tags are just plain ugly, like "font".

i like what manila does with legal tags. it has a admin page with checkboxes for which tags should be allowed and which shouldn't.

link  

 
robert, September 3, 2001 at 10:03:47 PM CEST

sounds reasonable

to leave it up to admins (with a pretty restrictive default-set of legal tags). to the "evil" tags i'd add "layer" and "ilayer", and maybe "span" and "div". and one could also try a legal tag together with the "style"-attribute to destroy a layout, or some event-handers ...

link  

 
kris, September 3, 2001 at 10:28:05 PM CEST

question of philosophy

let's face it, if someone messes with macros or with "class" and "style" attributes just to annoy you, you simply delete the message. on the other hand everyone can write complete bullshit. this is actually a bigger problem, because it does not require any intelligence.

i think it is important to block everything that could be a possible security hole. i wouldn't worry about the attributes.

another problem arises with tables. some browsers don't display pages if the "table" tag is not closed. looks like you either need a validiator script or you close open tags at the end of the message. (and maybe you should allow the admin to edit everything to correct these things.)

link  

 
tobi, September 3, 2001 at 11:55:14 PM CEST

content

it's a little bit off-topic, but generally i agree with kris that the bigger problem is (ie. can be) the content between the tags, just think about why yoobay has left the building.

link  

 
robert, September 4, 2001 at 9:59:29 AM CEST

i think

i've experienced too much trouble with funny people trying to learn html in discussion-boards ... it really can be annoying if somebody craps your page by using simple style-attributes (i forgot one tag: "embed" is also pretty dangerous ...)

but i agree that the content between the tags can probably be a bigger problem ...

link  

 
hns, September 4, 2001 at 10:14:10 AM CEST

I agree with kris

that admins should be able to edit everything. I sometimes have to do this for not-quite-right links tags on henso.com comments. (I'm using the helma inspector for it.) I think a site admin should be trusted to do this. It's a technical and ideological issue more than an editorial one: A site is owned by its admins like it was on their own harddisk. Whether the folks owning an Antville site implement a sensitive editorial policy is up to them, we can't (and shouldn't try to) force it upon them.

Now having an "edit" link next to each comment would certainly give the wrong idea. Actually, I also find that having a "delete" link next to each comment has some kind of strange taste to it. What I would propose is that admins get one "admin" link for comments from other people, and from there on can edit or delete them.

link  


... comment


The Antville Server Fund has been a great success. Thanks to everybody who contributed!
online for 8551 Days
last updated: 1/4/11, 10:22 AM
status
Youre not logged in ... Login
menu
... home
... topics
... galleries

... Home
... Tags

... Antville.org


... about antville
... download

... macros.antville.org
... help.antville.org
... translate antville!
... antville home
November 2024
SunMonTueWedThuFriSat
12
3456789
10111213141516
17181920212223
24252627282930
July
recent
zfuture's house here is zfuture's
house
by zfuture (7/31/03, 2:59 AM)
i understand your concerns however,
i hardly can think of a solution. certainly, if the...
by tobi (7/29/03, 9:47 AM)
Found several more similar sites
listed This is getting to be quite a concern to...
by cobalt123 (7/27/03, 7:56 PM)
Second Post Alert on Referrer
bug livecatz I put this into "help" and now here:...
by cobalt123 (7/26/03, 7:14 PM)
well it's not easy to
find from here, anyway. think we should include a link,...
by tobi (7/24/03, 11:25 AM)
So finally I found
the helma Bugzilla - stupid me.
by mdornseif (7/24/03, 10:28 AM)
clock not that it's particularly
earthshattering but the antclock is running slow by about 15...
by kohlehydrat (7/23/03, 8:25 PM)
but blogosphere.us isn't can't really
be rated as spam can it?
by kohlehydrat (7/23/03, 8:08 PM)
More referrer spam www.webfrost.com
by Irene (7/23/03, 7:55 PM)
How to log skin names
I accessed to console?? Hi, I would like to know...
by winson (7/23/03, 4:12 PM)

Click here to get an XML version of this weblog.

Made with Antville
powered by
Helma Object Publisher