Need someone to lead product management at your software company? I create software for people that create software and I'm looking for my next opportunity. Check out my resume and get in touch.

Sanitary comments

Freshness Warning
This blog post is over 21 years old. It's possible that the information you read below isn't current and the links no longer work.

Brad Choate’s got another Movable Type plugin out and this one enhances the security of your Weblog. The Sanitize Plugin allows you to specify a list of HTML tags that are allowed in the output of any MT tag—any other tags are stripped out.

If you allow people to use HTML in their comments, they can insert malicious code like <script>location.replace = '';</script>. Using the Sanitize plugin, you can prevent <script> tags from ever appearing in your comments.

The plugin also makes sure that all tags that are opened are also closed. That way if someone accidentally leaves out a </b> it doesn’t bold the rest of the page.

This is also a good plugin to use on blogs that have multiple authors, on your trackbacks, and anywhere else that people other than you have access to enter HTML on your site.

Brad Choate
October 3, 2002 11:10 AM

Oooh-- trackbacks. Good call. I had forgotten about that since usually what gets posted is the auto-generated excerpt (which I think is cleaned of tags as well). But if someone provided malicious code in their excerpt, that would probably be output as-is...

This discussion has been closed.

Recently Written

Too Big To Fail (Apr 9)
When a company piles resources on a new product idea, it doesn't have room to fail. That keeps it from succeeding.
Go small (Apr 4)
The strengths of a large organization are the opposite of what makes innovation work. Starting something new requires that you start with a small team.
Start with a Belief (Apr 1)
You can't use data to build products unless you start with a hypothesis.
Mastery doesn’t come from perfect planning (Dec 21)
In a ceramics class, one group focused on a single perfect dish, while another made many with no quality focus. The result? A lesson in the value of practice over perfection.
The Dark Side of Input Metrics (Nov 27)
Using input metrics in the wrong way can cause unexpected behaviors, stifled creativity, and micromanagement.
Reframe How You Think About Users of your Internal Platform (Nov 13)
Changing from "Customers" to "Partners" will give you a better perspective on internal product development.
Measuring Feature success (Oct 17)
You're building features to solve problems. If you don't know what success looks like, how did you decide on that feature at all?
How I use OKRs (Oct 13)
A description of how I use OKRs to guide a team, written so I can send to future teams.


What I'm Reading


Adam Kalsey

+1 916 600 2497


Public Key

© 1999-2024 Adam Kalsey.