Your Ad Here

Sanitary comments

3 Oct 2002

Brad Choate’s got another Movable Type plugin out and this one enhances the security of your Weblog. The Sanitize Plugin allows you to specify a list of HTML tags that are allowed in the output of any MT tag—any other tags are stripped out.

If you allow people to use HTML in their comments, they can insert malicious code like <script>location.replace = 'http://somesite.com/';</script>. Using the Sanitize plugin, you can prevent <script> tags from ever appearing in your comments.

The plugin also makes sure that all tags that are opened are also closed. That way if someone accidentally leaves out a </b> it doesn’t bold the rest of the page.

This is also a good plugin to use on blogs that have multiple authors, on your trackbacks, and anywhere else that people other than you have access to enter HTML on your site.

Brad Choate
October 3, 2002 11:10 AM

Oooh— trackbacks. Good call. I had forgotten about that since usually what gets posted is the auto-generated excerpt (which I think is cleaned of tags as well). But if someone provided malicious code in their excerpt, that would probably be output as-is…


Your comments:

Text only, no HTML. URLs will automatically be converted to links. Your email address is required, but it will not be displayed on the site.

Name:

Email: (not displayed)

If you don't feel comfortable giving me your real email address, don't expect me to feel comfortable publishing your comment.

Website (optional):

Lijit Search

Best Of

Recently Read

Get More

Subscribe | Archives

Recently

Sprout Test (May 7)
A test post for Sprout widgets.
Product Leadership (May 3)
An anthology of product leadership writing.
Fighting Monster patent claims (Apr 16)
The patent bully picked on the wrong little guy.
Peavy's pine tar (Apr 6)
Jake Peavy's cheating
Bush and Morgan on inner city baseball (Mar 30)
Morgan and Bush discuss the role of baseball in the inner cities.
Not a fork (Mar 27)
We have no intention of forking Drupal. That would be nuts. So what are we doing then?
Eating our dogfood in the sausage factory (Mar 26)
Recursive development for the new Drupal powered community platform.

Subscribe to this site's feed.

Elsewhere

Feed Crier
Get alerted by IM when your favorite web sites and feeds are updated.
SacStarts
The Sacramento technology startup community.
Pinewood Freak
Pinewood Derby tips and tricks
Del.icio.us
My tagstream at del.icio.us.
Waddlespot
My son's Club Penguin community. News, blogs, tips, and tricks.

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

AIM or Skype: akalsey

Resume

PGP Key

©1999-2008 Adam Kalsey.
Content management by Movable Type.