[Systers-dev] help with a html sanitizer

Sarah Mei sarahmei at gmail.com
Fri Jul 24 10:43:44 PDT 2009 

How about using some HTML subset language, like markdown or bbcode?
It's notoriously difficult to sanitize actual HTML.

Sarah

------------------
Sarah Mei
sarahmei.com/blog



On Fri, Jul 24, 2009 at 8:05 AM, Anna Granudd<anna.granudd at gmail.com> wrote:
> Hi,
> I implemented the opportunity to write whatever questions you want for the
> essay directly when creating a list, but now realized that my solution might
> be a bit risky. The current solution (not yet implemented to the main
> branch) makes it possible to enter the questions and formatting them
> straight away with html code in a text field. This means that it's possible
> to add code here (for instance some evil java script) that does whatever one
> want and if some malicious person was to do this, it's a security risk that
> we're facing. Of course, as long as it's just Systers who uses our code we'd
> be fairly safe anyway since it's unlikely that one of us would do this, but
> for future use it's still good to close this breach. This is where I'd like
> some help. I thought it might be a good idea to implement a html sanitizer
> here that only allows a few different ways of formatting. However, since I
> don't have any experience with this I thought asking for help was in order.
>
> One thought was to implement something like this:
> http://stackoverflow.com/questions/699468/python-html-sanitizer-scrubber-filterDoes
> any of you have experience with implementing a html sanitizer in
> Python
> (maybe even the one I though of) and could you then recommend me what to use
> or how to attack this problem? I added a bug report for this, if you'd like
> to have a look at it it can be found under
> https://bugs.launchpad.net/systers/+bug/402121 Any other thoughts are of
> course appreciated as well.
>
>
> Thanks,
> Anna
>
>
> To unsubscribe from this conversation, send email to <systers-dev+sanitizer+unsubscribe at systers.org> or visit <http://systers.org/mailman/options/systers-dev?override=26&preference=0>
> To contribute to this conversation, use your mailer's reply-all or reply-group command or send your message to systers-dev+sanitizer at systers.org
> To start a new conversation, send email to <systers-dev+new at systers.org>
> To unsubscribe entirely from systers-dev, send email to <systers-dev-request at systers.org> with subject unsubscribe.
>

More information about the Systers-dev mailing list