[13750] in bugtraq
Re: Fwd: CERT Advisory CA-2000-02
daemon@ATHENA.MIT.EDU (Byron Alley)
Tue Feb 8 03:46:58 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10002071555360.5242-100000@lionslair.uvic.ca>
Date: Mon, 7 Feb 2000 16:02:08 -0500
Reply-To: liondios@uvic.ca
From: Byron Alley <liondios@UVIC.CA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <389C05F3.4B139AE8@hem.passagen.se>
Henrik Nordstrom a dit:
> For the case of publishing information on a shared web site using strict
> HTML filterin is also beneficiable as it forces all authors to use a
> common HTML dialect, guaranteed not to disturb the site enforced layout
> or presentation, and helps keeping the information authors on track for
> providing the information rather than fiddling around to much in layout
> or presentation details.
Some web sites use an implementation based on this idea of a subset of
HTML. You don't even need to use real HTML - just take the most useful
functions, like bold, italics - and build a sub-language. In at least one
case I recall, a site used a format with []'s: [B] instead of <B>, etc.
This way you can safely remove any kind of tags, translate >'s to >
entities, etc. Naive users may not even know HTML anyways, and advanced
users will find it intuitive.
It's questionable whether there is real usefulness in allowing a full
range of HTML tags. This solution fits.
- Byron
Prizes are for children.
- Charles Ives, upon being given, but refusing, the Pulitzer prize
Byron Alley --> http://www.calicocity.com
