Compatibility of custom HTML tags

[Doug Miller]

(e-mail address removed) wrote in @googlegroups.com:

Realistically, I do strip all HTML and JavaScript tags except for:

div|p|a|span|font|img|br|b|u|i

So what stops me from including this content?

<img src="http://www.pornographic_website.xxx/some_disgusting_photo.png">

 

[Jonathan N. Little]

(e-mail address removed) wrote in @googlegroups.com:


So what stops me from including this content?

<img src="http://www.pornographic_website.xxx/some_disgusting_photo.png">

Or worse:

<Files innocent-looking-but_really_evil_script.png>
ForceType application/x-httpd-php

 

[Gene Wirchenko]

On Fri, 7 Sep 2012 15:58:26 +0000 (UTC), Doug Miller

[snip]

If you are accepting user input and redisplaying it on your page
without editing or validating it in any way, you have FAR larger
problems than invalid HTML.

Valid HTML.

For example, what would stop me from submitting this user content?

I had to try...

<iframe src="http://www.identitytheftwebsite.com">

No such site.

or this?
<img src="http://www.pornographicpictures.png">

No such site, but the .com is taken.

Suggest you post in alt.php and/or comp.lang.php to learn
about proper editing and validation of user input, BEFORE you go
any farther with this project.

And even with that, there can be issues.

Sincerely,

Gene Wirchenko

 

[jwcarlton]

So what stops me from including this content?

<img src="http://www.pornographic_website.xxx/some_disgusting_photo.png">

I appreciate the concern that you guys have, but as I mentioned before, I have a rather lengthy program that I wrote to process and validate everything. It's not relevant to HTML or this thread, though, so I didn't think it was worth mentioning.

But for your reference, I automatically remove images that link to domains other than mine. That's why I allow the <img> tag, but earlier in the script I test it to make sure it's acceptable.

While they could realistically link to the image like so:

<a href="http://www.pornographic_website.xxx/some_disgusting_photo.png">
http://www.pornographic_website.xxx/some_disgusting_photo.png
</a>

(with the <a href...> tag generated via my script), I have filters in placeto prevent new or unregistered users from creating links to external websites. After they are registered for 24 hours, they can create a link like that, at which point it's up to another user to report it, and a moderator toremove it. And of course, repeated violations result in a suspended account.

But again, this really has nothing to do with the topic.

 

[Edward A. Falk]

I appreciate the concern that you guys have, but as I mentioned before, I have a rather
lengthy program that I wrote to process and validate everything. It's not relevant to
HTML or this thread, though, so I didn't think it was worth mentioning.

OK, just teach your validator to not allow <div> tags inside of <p> tags, and
other non-compliant combinations.