Lukas Smith [2005-01-29 18:09 UTC] We definately need a package like that. Mayone one thing that might be nice is to make the security policy configurable. So that the user gets more control over what gets stripped out. Then again there might be little sense in doing that since one holes is enough ..
However stripping out tags with no closing tag is going too far quite often I would say. Since we are talking about user probided input here mostly, it needs to be nice to the user too. Maybe an optional solution should therefore be to automatically add a " /" at the end of the opening tag.
Daniel Convissor [2005-01-29 20:01 UTC] Are you familliar with PHP's strip_tags function? There seems to be some overlap, though you provide more thorough sanitization. How about having the description explain the differences between your package and the function? This will avoid more people asking this question.
Please explain the benefit of this package over using
Please check out the phpDocumentor manual and the Sample File in the PEAR Coding Standards.
http://manual.phpdoc.org/HTMLSmartyConverter/default/phpDocumentor/tutorial_phpDocumentor.howto.pkg.html
http://pear.php.net/manual/en/standards.sample.php
Daniel Convissor [2005-01-30 16:47 UTC] Is there any relation between your package and SafeHTML?
http://freshmeat.net/projects/safehtml/
Does your package deal with people trying to obfuscate their attacks by using HTML entities (both ordinal and hex)? This was an issue in SafeHTML which they apparently addressed in release 1.2.1.
The layout of arrays could use some neatening up, including alphabetizing:
$array = array(
'another',
'value',
);
Some other pedantic comments:
* use single quotes instead of double quotes around strings when possible.
* put spaces between concatenated elements (eg "/" . $css . "/i") and assignment operators (eg $this->_xhtml .= "<" . $name;).
Roman Ivanov [2005-01-30 18:18 UTC] Daniel Convissor [2005-01-29 20:01 UTC]: differences explained in package description.
phpDoc issues seems to be fixed now.
Sveta Smirnova [2005-01-31 22:53 UTC] I like class HTML_Safe.
But fix typo, please:
/**
* Constructs class
*
* @access public
*/
function safehtml()
It is not constructor of class HTML_Safe
Davey Shafik [2005-02-01 01:12 UTC] It occurs to me that using HTML_BBCode_Parser and telling it to use < instead of [ would be a saner option.
:)
- Davey
Roman Ivanov [2005-02-01 09:42 UTC] Sveta Smirnova: fixed, thank you.
Davey Shafik:
This is not appropriate for some classes of systems, such as:
* blog hostings
* webmail systems
* RSS aggregators
* WYSIWYG-based editing
Roman Ivanov [2005-02-05 12:38 UTC] Daniel Convissor: I have fixed header comment block. Thank you.
If there are no more comments on this proposal the vote will be called soon.
|
