This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.
Freshness Warning
This blog post is over 21 years old. It's possible that the information you read below isn't current and the links no longer work.
3 Oct 2002
Brad Choate’s got another Movable Type plugin out and this one enhances the security of your Weblog. The Sanitize Plugin allows you to specify a list of HTML tags that are allowed in the output of any MT tag—any other tags are stripped out.
If you allow people to use HTML in their comments, they can insert malicious code like <script>location.replace = 'http://somesite.com/';</script>
. Using the Sanitize plugin, you can prevent <script>
tags from ever appearing in your comments.
The plugin also makes sure that all tags that are opened are also closed. That way if someone accidentally leaves out a </b>
it doesn’t bold the rest of the page.
This is also a good plugin to use on blogs that have multiple authors, on your trackbacks, and anywhere else that people other than you have access to enter HTML on your site.
This discussion has been closed.
Brad Choate
October 3, 2002 11:10 AM
Oooh-- trackbacks. Good call. I had forgotten about that since usually what gets posted is the auto-generated excerpt (which I think is cleaned of tags as well). But if someone provided malicious code in their excerpt, that would probably be output as-is...