How is your advice regarding HTML safety poor? Let me count the ways:
- It's best to clean up your data both before and after. Before storing the data, you need to clean it up enough to make it safe to store. (In many cases, this can be skipped in favor of using parametrized queries (placeholders).)
Cleanup for display needs to be done immediately prior to display because, if you only clean up the HTML before storing it and a new exploit is discovered next week, the data already in your database may still contain that exploit. Doing this cleanup on display is the only way to ensure that all current cleanup will be performed on older data. (Pre-cleaning before storage isn't a bad thing, but it is not sufficient by itself.)
- < and > are major issues even if you don't use javascript. <iframe src='http://rogue.com/path/to/exploit.html'></iframe>, for example.
- Your set of suggested regexes take a blacklisting approach ("block these three specific characters") which, by its very nature, is susceptible to letting potential dangers slip through. It's much better to go with whitelisting ("this set of characters are known (or at least believed) to be safe; block everything else") in the general case or to use a proper HTML escaping function in the specific case of handling HTML output.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|