Embedded HTML

Discussion in 'SF Open Government' started by Blue_UK, Sep 3, 2007.

?

Allow HTML code?

  1. Yes, Allow HTML

    1 vote(s)
    20.0%
  2. No, it's asking for trouble

    3 vote(s)
    60.0%
  3. Abstain

    1 vote(s)
    20.0%
  1. Blue_UK Drifting Mind Valued Senior Member

    Messages:
    1,448
    Should HTML be allowed?
     
  2. Guest Guest Advertisement



    to hide all adverts.
  3. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,104
    The problem with HTML is it allows X-Scripting attacks, it's the main reason for vBCode.
    It was originally stopped after a people used Dynamic Images (ones with '?' variable strings) to get copies of Cookies etc.

    It is possible to add any forms of HTML to vBCode however there is a single restraint, any HTML tag is restricted to a single variable element. Like for instance in a TABLE tag you could have Width and Height to name a few entries, the standard vBCode edition would only allow you to put Height or Width, in not both.

    If you are after something that only needs one variable then it's possible to get it added if you mention what it is you are after.
     
  4. Guest Guest Advertisement



    to hide all adverts.
  5. Blue_UK Drifting Mind Valued Senior Member

    Messages:
    1,448
    Cool. Who's the man responsible for this?

    <hr> is nice and pretty.

    With only one attribute that kind of tell my <div> ideas to f right off.
     
  6. Guest Guest Advertisement



    to hide all adverts.
  7. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,104
    Well it is possible to 'precode' attributes, however you'd have to state what it is you'd like to see.

    For instance a good one to precode is a 'Spoiler' tag, something like:

    Code:
    <span style="color:black;background-color:black">%param%</span>
    
    And the bcode being set like:
    Code:
    [hid]someentry[/hid]
    
    the HR tag is obviously possible, however image replacement of it or Width could be an issue (There is no predefined Integer test, which would either require hardcoding a Javascript entry for the test or the hope that no one uses 'extreme data' outside of the fields scope.)

    I guess it would be possible to make long attributes for CSS Style entries, however the problem is that CSS can be used to generate certain workarounds in regards to filters and security. Heck, Even just mischief (it wouldn't take much to place a rude replacement image over someone's avatar etc)
     

Share This Page