On Jul 12, 2005, at 6:50 AM, Chris Shiflett wrote:
As far as allowing [red] goes, you can just as easily add to
the list of available tags and not have to come up with a
replacement for every other HTML tag that already exists.
but what about the poor bastards that'll go around trying
Evert|Rooftop wrote:
If you for example only allow and doing this with bbcode
would require extra cpu-cycles to convert [i] to
I don't really agree with this, because I think escaping the html +
replacing bbcode would require less cpu cycles then scanning the string
for invalid html and escap
Richard Davey wrote:
I gave several valid good usability reasons, that I've yet to see
anyone provide a coherent reason not to use.
The usability arguments in favor of BBCode are fine. I'm not interested
in that debate. I just don't want more people thinking that allowing
BBCode somehow prote
The point is..
If you for example only allow and doing this with bbcode
would require extra cpu-cycles to convert [i] to
I don't really agree with this, because I think escaping the html +
replacing bbcode would require less cpu cycles then scanning the string
for invalid html and escapin
I've been loosely following this thread, and have a question now.
Isn't one advantage of a bbcode type solution that you can more easily
avoid session hijacking vis cross site scripting? If you allow html,
then you open the door for people to add eventhandlers. I guess you
could always strip the
Hello Greg,
Monday, July 11, 2005, 5:06:51 PM, you wrote:
GD> I wouldn't know, isn't one of the tags I allow.
If you stick to the plain vanilla HTML tags such as i, b, u, etc then
BBCode is pointless - I agreed on this with you several posts ago. I
don't however use it just for that, I use it t
On 7/11/05, Richard Davey <[EMAIL PROTECTED]> wrote:
> u wanted to allow a user to say colour a piece of text red,
> they'd have to enter x to make it
I wouldn't know, isn't one of the tags I allow.
> happen? Poor bastards (never mind the fact I'd love to see you use
> less CPU cycles to perfect
Hello Greg,
Monday, July 11, 2005, 3:46:24 PM, you wrote:
GD> On 7/11/05, Richard Davey <[EMAIL PROTECTED]> wrote:
>> I gave several valid good usability reasons, that I've yet to see
>> anyone provide a coherent reason not to use.
GD> Misuse of CPU cycles.
So if you wanted to allow a user to s
On 7/11/05, Richard Davey <[EMAIL PROTECTED]> wrote:
> I gave several valid good usability reasons, that I've yet to see
> anyone provide a coherent reason not to use.
Misuse of CPU cycles.
--
Greg Donald
Zend Certified Engineer
MySQL Core Certification
http://destiney.com/
--
PHP General Mail
Hello Chris,
Sunday, July 10, 2005, 2:31:57 AM, you wrote:
CS> I completely agree. I think you'll find that, when pressed, no one
CS> can really provide a good reason to use BBCode. I often see
CS> security cited as a reason, but it makes no sense.
I gave several valid good usability reasons, th
On Fri, July 8, 2005 11:25 am, Ezra Nugroho said:
>
> Here is one security measure that you HAVE to do if you allow people to
> submit contents to your site.
>
> 1. track client's IP.
> 2. Associate sensitive cookies with the IP, if they don't match, ignore
> it or invalidate the cookie.
>
> We may
Ezra Nugroho wrote:
Here is one security measure that you HAVE to do if you allow people to
submit contents to your site.
1. track client's IP.
2. Associate sensitive cookies with the IP, if they don't match, ignore
it or invalidate the cookie.
If by "HAVE to" you mean "MUST NEVER," then I agr
Greg Donald wrote:
> [i]This text will be in italics.[/i]
> [b]This text will be in bold.[/b]
> [url=http://php.net]This will be a URL that points to php.net.[/url]
While I do not disagree with the information content of your post, I
do think this sort of thing is pretty silly.
If you're gonna
To follow-up my own post... which is sad I know, but hey...
Saturday, July 9, 2005, 7:08:37 PM, I wrote:
RD> The difference is the extra hoops your reg exps will have to jump
RD> through, and have to jump through perfectly. You will have to disallow
RD> all <'s and >'s, but do allow them for , ,
Hello Greg,
Saturday, July 9, 2005, 6:40:06 PM, you wrote:
GD> The same regular expression magic that keeps you from forgetting your
GD> [/i] can just as easily keep you from forgetting your .
The difference is the extra hoops your reg exps will have to jump
through, and have to jump through per
On 7/9/05, Richard Davey <[EMAIL PROTECTED]> wrote:
> I have to say I disagree, because with all modern BBcode parsers it
> would never get to that stage.
The same regular expression magic that keeps you from forgetting your
[/i] can just as easily keep you from forgetting your .
--
Greg Donald
Hello Greg,
Friday, July 8, 2005, 5:00:23 PM, you wrote:
GD> On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote:
>> Yep, but this has no way of breaking my html
GD> If [/i] is missing, it'd be the same as being missing.
I have to say I disagree, because with all modern BBcode parsers it
would nev
a user, unless you are fine with invalidating users on
> > a frequent basis
> >
> > Michael
> >
> > > -Original Message-
> > > From: Ezra Nugroho [mailto:[EMAIL PROTECTED]
> > > Sent: Friday, July 08, 2005 11:49 AM
> > > To: Michael Caplan
> >
ge-
> > From: Ezra Nugroho [mailto:[EMAIL PROTECTED]
> > Sent: Friday, July 08, 2005 11:49 AM
> > To: Michael Caplan
> > Subject: RE: [PHP] Re: Security, Late Nights and Overall Paranoia
> >
> > True, but it's better than nothing.
> >
> >
On Jul 8, 2005, at 1:25 PM, Ezra Nugroho wrote:
Here is one security measure that you HAVE to do if you allow people to
submit contents to your site.
1. track client's IP.
2. Associate sensitive cookies with the IP, if they don't match, ignore
it or invalidate the cookie.
We may not stop th
Here is one security measure that you HAVE to do if you allow people to
submit contents to your site.
1. track client's IP.
2. Associate sensitive cookies with the IP, if they don't match, ignore
it or invalidate the cookie.
We may not stop the information redirection.
We can make the informati
On Jul 8, 2005, at 12:31 PM, Edward Vermillion wrote:
On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote:
I am just wondering, how could someone craft an html to steal cookies?
If your cookie distribution is done right, I don't think you need to
worry about this.
That's what XSS is all abou
On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote:
I am just wondering, how could someone craft an html to steal cookies?
If your cookie distribution is done right, I don't think you need to
worry about this.
That's what XSS is all about. I don't have the link handy but I do have
a PDF file
I am just wondering, how could someone craft an html to steal cookies?
If your cookie distribution is done right, I don't think you need to
worry about this.
There are a gazillion of sites (CMS-based, wiki-based, etc, including
php.net) that allow users to contribute html. They are not concern a
On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote:
> I am not really bothered about the closing tags (for example )
> I am more bothered about the opening closing tag (for example should be )
> as this can mess up my page...but this cant do squat: [i
> or this: i]
That's where a good preview function
On Jul 8, 2005, at 4:21 AM, <[EMAIL PROTECTED]> wrote:
Personally, I don't think it's a bad idea at all. The best way (and
probably ONLY real way) to achieve decent security would be to limit
the subset of tags the user can post. Best way to achieve this is to
use your own tagging system (e.g.
> > Yep, but this has no way of breaking my html
>
> If [/i] is missing, it'd be the same as being missing.
>
> I can just as easily clean out any missing tags as I can any
> missing [/i] tags.
>
I am not really bothered about the closing tags (for example )
I am more bothered about the ope
On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote:
> Yep, but this has no way of breaking my html
If [/i] is missing, it'd be the same as being missing.
I can just as easily clean out any missing tags as I can any
missing [/i] tags.
--
Greg Donald
Zend Certified Engineer
MySQL Core Certificati
Hey,
> > The problem with this approach is if people dont close their tags
properly
> Nothing makes it impossible for me to hand type and not close one of those
> tags.
>
> [i]blah
Yep, but this has no way of breaking my html
the max you would get is:
[i this will be in italics
which is
On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote:
> The problem with this approach is if people dont close their tags properly
Nothing makes it impossible for me to hand type and not close one of those tags.
[i]blah
--
Greg Donald
Zend Certified Engineer
MySQL Core Certification
http://destiney.com
Hey,
> > The typical way that forums handle this is to use what is called
> > "BBCode". In short, you have a non-HTML way for users to supply
> > [i]This text will be in italics.[/i]
> > [b]This text will be in bold.[/b]
> If you're gonna allow the tag then just allow it. There's no
> p
On 7/8/05, Jason Barnett <[EMAIL PROTECTED]> wrote:
> The typical way that forums handle this is to use what is called
> "BBCode". In short, you have a non-HTML way for users to supply
> information that will produce markup instead of just plain text. So if
> you want to allow italics, bolds, URL
The typical way that forums handle this is to use what is called
"BBCode". In short, you have a non-HTML way for users to supply
information that will produce markup instead of just plain text. So if
you want to allow italics, bolds, URL's, etc. then you have some codes
for it like:
[i]This
33 matches
Mail list logo
