Sanitary comments

Freshness Warning
This article is over 9 years old. It's possible that the information you read below isn't current.

3 Oct 2002

Brad Choate’s got another Movable Type plugin out and this one enhances the security of your Weblog. The Sanitize Plugin allows you to specify a list of HTML tags that are allowed in the output of any MT tag—any other tags are stripped out.

If you allow people to use HTML in their comments, they can insert malicious code like <script>location.replace = 'http://somesite.com/';</script>. Using the Sanitize plugin, you can prevent <script> tags from ever appearing in your comments.

The plugin also makes sure that all tags that are opened are also closed. That way if someone accidentally leaves out a </b> it doesn’t bold the rest of the page.

This is also a good plugin to use on blogs that have multiple authors, on your trackbacks, and anywhere else that people other than you have access to enter HTML on your site.

Brad Choate
October 3, 2002 11:10 AM

Oooh— trackbacks. Good call. I had forgotten about that since usually what gets posted is the auto-generated excerpt (which I think is cleaned of tags as well). But if someone provided malicious code in their excerpt, that would probably be output as-is…


Your comments:

Text only, no HTML. URLs will automatically be converted to links. Your email address is required, but it will not be displayed on the site.

Name:

Not your company or your SEO link. Comments without a real name will be deleted as spam.

Email: (not displayed)

If you don't feel comfortable giving me your real email address, don't expect me to feel comfortable publishing your comment.

Website (optional):

Follow me on Twitter

Lijit Search

Best Of

  • Let it go Netscape 4 is six years old.
  • California State Fair The California State Fair lets you buy tickets in advance from their Web site. That's good. But the site is a horror house of usability problems.
  • Comment Spam Manifesto Spammers are hereby put on notice. Your comments are not welcome. If the purpose behind your comment is to advertise yourself, your Web site, or a product that you are affiliated with, that comment is spam and will not be tolerated. We will hit you where it hurts by attacking your source of income.
  • Customer reference questions. Sample questions to ask customer references when choosing a software vendor.
  • Lock-in is bad T-Mobile thinks they'll get new Hotspot customers with exclusive content and locked-in devices.
  • More of the best »

Recently Read

Get More

Subscribe | Archives

9

Recently

invisible Fence (Mar 22)
The New York Times has a paywall now. Sorta. If you don't choose to ignore it.
Black status icon for Chrometa (Mar 17)
Replacing the status icon of Chrometa
Using Google Voice as your voicemail on AT&T (Oct 26)
How I set up my iPhone to use Google Voice as it's voicemail system.
Don Mattingly forced to make coaching change (Sep 17)
New LA Dodgers coach starts to wonder if he knows the rules of baseball at all.
In which Vonage pretends their prices haven't changed (Apr 12)
Translating what Vonage marketing says about their price increase into plain English.
Twitter app competition (Apr 12)
Life as a Twitter app developer is far from over.
Twitter app competition (Apr 12)
Life as a Twitter app developer is far from over.
The rest of the world is not like you (Apr 5)
Normal people are different. Keep that in mind when creating or marketing a product.

Subscribe to this site's feed.

Elsewhere

IMified
Build instant messaging applications. (My company)
SacStarts
The Sacramento technology startup community.
Pinewood Freak
Pinewood Derby tips and tricks

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

AIM or Skype: akalsey

Resume

PGP Key

©1999-2012 Adam Kalsey.
Content management by Movable Type.