# Embedded HTML

Discussion in 'SF Open Government' started by Blue_UK, Sep 3, 2007.

?

## Allow HTML code?

1 vote(s)
20.0%

3 vote(s)
60.0%

1 vote(s)
20.0%
1. ### Blue_UKDrifting MindValued Senior Member

Messages:
1,448
Should HTML be allowed?

3. ### StryderKeeper of "good" ideas.Valued Senior Member

Messages:
13,104
The problem with HTML is it allows X-Scripting attacks, it's the main reason for vBCode.
It was originally stopped after a people used Dynamic Images (ones with '?' variable strings) to get copies of Cookies etc.

It is possible to add any forms of HTML to vBCode however there is a single restraint, any HTML tag is restricted to a single variable element. Like for instance in a TABLE tag you could have Width and Height to name a few entries, the standard vBCode edition would only allow you to put Height or Width, in not both.

If you are after something that only needs one variable then it's possible to get it added if you mention what it is you are after.

5. ### Blue_UKDrifting MindValued Senior Member

Messages:
1,448
Cool. Who's the man responsible for this?

<hr> is nice and pretty.

With only one attribute that kind of tell my <div> ideas to f right off.

7. ### StryderKeeper of "good" ideas.Valued Senior Member

Messages:
13,104
Well it is possible to 'precode' attributes, however you'd have to state what it is you'd like to see.

For instance a good one to precode is a 'Spoiler' tag, something like:

Code:
<span style="color:black;background-color:black">%param%</span>

And the bcode being set like:
Code:
[hid]someentry[/hid]

the HR tag is obviously possible, however image replacement of it or Width could be an issue (There is no predefined Integer test, which would either require hardcoding a Javascript entry for the test or the hope that no one uses 'extreme data' outside of the fields scope.)

I guess it would be possible to make long attributes for CSS Style entries, however the problem is that CSS can be used to generate certain workarounds in regards to filters and security. Heck, Even just mischief (it wouldn't take much to place a rude replacement image over someone's avatar etc)