[Systers-dev] help with a html sanitizer

Tue Jul 28 03:16:46 PDT 2009

The idea sounds great but I would need some more help to be able to
implement it. First some background, today the (html) formated text is
directly implemented from a textbox field (when creating a list) into the
template (also formatted in html) without being checked at all. Just
straight forward taken from one field and put into the template as it is.
Do you have any ideas how to create this field where the list creater can
enter the questions that allowes a lightweight markup language and not just
any text? This is possibly a stupid question but still, can this text
entered in the field then be read as normal html code and simply still just
put in the appropriate field in the template or does it need to be converted
somehow? A simple, for instance, markdown converter as suggested on this
page: http://www.freewisdom.org/projects/python-markdown/Using_as_a_Modulewould
be neccesary right?

I think the converter could work or at least I could probably play around
with it until it works, but I'm not sure how to create a text field where
the list creators can enter their text in a lightweight markup language and
not just any language. Any suggestions? Also, if you don't belive in the
converter I found, do you have any other suggestions?

Thanks,
Anna

On Fri, Jul 24, 2009 at 7:43 PM, Sarah Mei <sarahmei at gmail.com> wrote:

> How about using some HTML subset language, like markdown or bbcode?
> It's notoriously difficult to sanitize actual HTML.
>
> Sarah
>
> ------------------
> Sarah Mei
> sarahmei.com/blog
>
>
>
> On Fri, Jul 24, 2009 at 8:05 AM, Anna Granudd<anna.granudd at gmail.com>
> wrote:
> > Hi,
> > I implemented the opportunity to write whatever questions you want for
> the
> > essay directly when creating a list, but now realized that my solution
> might
> > be a bit risky. The current solution (not yet implemented to the main
> > branch) makes it possible to enter the questions and formatting them
> > straight away with html code in a text field. This means that it's
> possible
> > to add code here (for instance some evil java script) that does whatever
> one
> > want and if some malicious person was to do this, it's a security risk
> that
> > we're facing. Of course, as long as it's just Systers who uses our code
> we'd
> > be fairly safe anyway since it's unlikely that one of us would do this,
> but
> > for future use it's still good to close this breach. This is where I'd
> like
> > some help. I thought it might be a good idea to implement a html
> sanitizer
> > here that only allows a few different ways of formatting. However, since
> I
> > don't have any experience with this I thought asking for help was in
> order.
> >
> > One thought was to implement something like this:
> >
> http://stackoverflow.com/questions/699468/python-html-sanitizer-scrubber-filterDoes
> > any of you have experience with implementing a html sanitizer in
> > Python
> > (maybe even the one I though of) and could you then recommend me what to
> use
> > or how to attack this problem? I added a bug report for this, if you'd
> like
> > to have a look at it it can be found under
> > https://bugs.launchpad.net/systers/+bug/402121 Any other thoughts are of
> > course appreciated as well.
> >
> >
> > Thanks,
> > Anna
> >
> >
> > To unsubscribe from this conversation, send email to <
> systers-dev+sanitizer+unsubscribe at systers.org<systers-dev%2Bsanitizer%2Bunsubscribe at systers.org>>
> or visit <
> http://systers.org/mailman/options/systers-dev?override=26&preference=0>
> > To contribute to this conversation, use your mailer's reply-all or
> reply-group command or send your message to
> systers-dev+sanitizer at systers.org <systers-dev%2Bsanitizer at systers.org>
> > To start a new conversation, send email to <systers-dev+new at systers.org<systers-dev%2Bnew at systers.org>
> >
> > To unsubscribe entirely from systers-dev, send email to <
> systers-dev-request at systers.org> with subject unsubscribe.
> >
>