You are not logged in Log in Join
You are here: Home » Members » 4AM Productions (Evan Simpson) » DTMLWiki » stripHTML » wikipage_view
Log in
Name

Password

 
Link icon Forgot your password?
 
Print
FrontPage » EvolutionaryProposals »

stripHTML

"stripHTML" Proposal

Example of implementation

<dtml-var userobject fmt=filtertags>

Goals

  • Allow malicious HTML code to be filtered out of text that is input by untrusted users.

Proposed Changes

Add to DTML Documents and Methods a processing step which recognizes SGML tags with a filtertags attribute. Parse and replace these tags with filtered versions of the text. The level of filering should be possible to specify, say, at high levels it removes everything that is normally parsed as a tag, lower levels allow things like URL links and lists/formatting, but not image tags and the script tag. It would probably be smart to subclass a SGML-parser-class from the python sources when implementing.

Result

It would be possible to achieve a higher level of security when dealing with untrusted users. And to preserve own HTML structure intact.

Other

I know this has been discussed, but never saw anything concrete come out of those discussions. Mail me at mailto:[email protected] if there already is a simple way to achieve this.

Current Solution: Yes there is an easy way to achieve this using _.getitem("foo") which is shorthand for _.getitem("foo",0). This inserts the object contents and and automagically turns the HTML delimiters into harmless entities. This will also turn off server-side rendering of the DTML code too.

--[Caseman]?
Copyright (c) 2011 Zope Foundation. All rights reserved. Legal | Contact
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)