Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Unapproved mark-up (both HTML tags and HTML attributes) are already always blocked. That takes care of the cross-site scripting security concern.

An enhancement was implemented to go further and better protect site layout from (usually unintentional) inclusion of approved tags in a manner that can interfere with layout beyond the contents of the individual submission. This enhancement goes beyond noting that 'br' tags are approved for inclusion so it also blocks any 'br' tags that are not "properly nested". So you can, for example, include "<br>", "<br></br>", and "<br />" and not have them blocked.

However, with the enhanced validation, including something like "</br>" or "</p>" without a matching, preceding opening tag, will lead to that tag being blocked. Without the enhancement, such constructs are included (which presents absolutely no problem that could be described as "security").

During the trial period where the enhancement is optional to shake out unintended consequences, it was discovered that misplacing the "/" in "<p />" by using "</p>" was such a common mistake that many browsers had decided to interpret the latter as the former.

That was really the only major problem discovered. It frankly should not be particularly difficult to fix that and then make the enhancement no longer optional. I'm even tempted to just make the enhancement no longer optional even without that tweak (except for the impact it would have on previously-posted nodes).

I thought that I had already made the increased validation the default for new users and something that applied to anonymonk. At least the latter appears to not be true or was reverted (perhaps by a bug that allowed anonymonk to sometimes impact those settings).

- tye        

In reply to Re^5: side effects "Enforce proper nesting of HTML" (security) by tye
in thread side effects "Enforce proper nesting of HTML" by LanX

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others taking refuge in the Monastery: (4)
    As of 2020-10-21 04:40 GMT
    Find Nodes?
      Voting Booth?
      My favourite web site is:

      Results (212 votes). Check out past polls.