Need someone to lead product management at your software company? I create software for people that create software and I'm looking for my next opportunity. Check out my resume and get in touch.

Sanitary comments

Freshness Warning
This blog post is over 21 years old. It's possible that the information you read below isn't current and the links no longer work.

Brad Choate’s got another Movable Type plugin out and this one enhances the security of your Weblog. The Sanitize Plugin allows you to specify a list of HTML tags that are allowed in the output of any MT tag—any other tags are stripped out.

If you allow people to use HTML in their comments, they can insert malicious code like <script>location.replace = 'http://somesite.com/';</script>. Using the Sanitize plugin, you can prevent <script> tags from ever appearing in your comments.

The plugin also makes sure that all tags that are opened are also closed. That way if someone accidentally leaves out a </b> it doesn’t bold the rest of the page.

This is also a good plugin to use on blogs that have multiple authors, on your trackbacks, and anywhere else that people other than you have access to enter HTML on your site.

Brad Choate
October 3, 2002 11:10 AM

Oooh-- trackbacks. Good call. I had forgotten about that since usually what gets posted is the auto-generated excerpt (which I think is cleaned of tags as well). But if someone provided malicious code in their excerpt, that would probably be output as-is...

This discussion has been closed.

Recently Written

Mastery doesn’t come from perfect planning (Dec 21)
In a ceramics class, one group focused on a single perfect dish, while another made many with no quality focus. The result? A lesson in the value of practice over perfection.
The Dark Side of Input Metrics (Nov 27)
Using input metrics in the wrong way can cause unexpected behaviors, stifled creativity, and micromanagement.
Reframe How You Think About Users of your Internal Platform (Nov 13)
Changing from "Customers" to "Partners" will give you a better perspective on internal product development.
Measuring Feature success (Oct 17)
You're building features to solve problems. If you don't know what success looks like, how did you decide on that feature at all?
How I use OKRs (Oct 13)
A description of how I use OKRs to guide a team, written so I can send to future teams.
Build the whole product (Oct 6)
Your code is only part of the product
Input metrics lead to outcomes (Sep 1)
An easy to understand example of using input metrics to track progress toward an outcome.
Lagging Outcomes (Aug 22)
Long-term things often end up off a team's goals because they can't see how to define measurable outcomes for them. Here's how to solve that.

Older...

What I'm Reading

Contact

Adam Kalsey

+1 916 600 2497

Resume

Public Key

© 1999-2024 Adam Kalsey.