--- "CPT John W. Holmes" <[EMAIL PROTECTED]> wrote: > > Let's make this personal: what would be your answer if I would > > advice the friendly person to do this: > > Heh.. I hope you're just kidding about "making it personal".
I think it might be a language subtlety that wasn't intended to mean what we think it means. :-) I think he just meant that he wanted to get specific or something like that. > I'm against letting users enter HTML in their data, also. I'd rather > emply a bbcode type solution, turning [b] into <b>, etc. This way, YOU > set the rules and say the user can do these _5_ things in this exact > syntax. Otherwise you're held at the mercy of the HTML and browser > specs and hoping that even just allowing <b> in the future won't have > any security issues. When _you_ set the rules, you win. I disagree with John here, but that's OK. :-) We seem to have different perspectives about this bbcode stuff. Personally, I see no need to define a new markup language that you intend to convert to HTML anyway. It is an unnecessary complication that yields no benefits from what I can see. If you run everything through htmlentities() but want some things interpreted, you can always use str_replace() to allow the very specific tags that you want. There's no need for regular expressions or risking the <b onclick=""> type of stuff. But, that's the ncie thing about this list. You get a lot of different perspectives, answers, etc. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
