|
Andre Polykanine A.K.A. Menelion Elensúlë - 2011-05-18 19:09:30
Hello Dr. Patnaik,
I have been using HtmLawed for about a year and a half, and I'm pretty satisfied with it, thanks a lot!
However, I would like to ask: will you be supporting Html 5 tags such as audio, video, canvas, section, article...?
And one more question: what do you think about this article: http://blog.astrumfutura.com/2010/08/html-sanitisation-the-devils-in-the-details-and-the-vulnerabilities/? Are they saying truth about the insecurities in HtmLawed?
Thanks!
Santosh Patnaik - 2011-07-07 00:37:41 - In reply to message 1 from Andre Polykanine A.K.A. Menelion Elensúlë
Hi,
Sorry for the delay in my response. I did not see your post until today.
Yes, a new version of htmLawed with HTML5 support will be out soon, within this month. However, if you want me to suggest code-changes for you for just 'audio' and 'video', I will be happy to do so.
Regarding the astrumfutura blog post you refer to: I have always felt that some developers have created FUD about htmLawed. The security vulnerabilities they talk of are not really true. E.g., htmLawed can let in 'script' elements, but is this a vulnerability? I don't think so because someone might want to allow 'script' within content processed through htmLawed. At the same time, if someone wants to remove 'script', they can. So it comes down to whether htmLawed is configured properly or not to achieve the desired output. So, with proper configuration, is htmLawed vulnerable? I don't think so.
Andre Polykanine A.K.A. Menelion Elensúlë - 2011-07-07 12:47:15 - In reply to message 2 from Santosh Patnaik
Hi,
Thanks for your reply. So, awaiting the Html5 support :-).
And one more question (please please answer it, because I did read the manual several times through and still couldn't find the answer...). Could I implement a custom tag support within HtmLawed (maybe using hook functions)? Say, I have a <youtube> custom tag on my blog platform so the users could enter a link within this tag, and when processed, it would be changed to an iframe. Could I do something like this using HtmLawed?
Thanks!
Santosh Patnaik - 2011-07-07 17:18:46 - In reply to message 3 from Andre Polykanine A.K.A. Menelion Elensúlë
No, there is no in-built support for converting a custom tag to another. I always thought this to be outside htmLawed's purview. And it is easy to get this functionality without using htmLawed.
(1) E.g., the input can be passed through a simple str_replace or preg_replace call to change <youtube> to <iframe> before it is handed over to htmLawed. In this case, htmLawed has to be configured to allow <iframe>, which one might not like.
(2) An alternative then is to use characters other than < and > to specify the 'youtube' tags (like [youtube]), then htmLawed-filter the input (not allowing <iframe>), and then do (1).
(3) Another method is mentioned here -- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.9
Still, let me know if you think it will be better to have have a custom tag conversion feature in htmLawed.
Andre Polykanine A.K.A. Menelion Elensúlë - 2011-07-07 19:00:35 - In reply to message 4 from Santosh Patnaik
As for me, I think it would be better to have custom tags support within HtmLawed. However, since you are making a free (and good!) tool, I can't say "go and do it just for me!". So *if* it is either not too difficult or you have it in your own projects for future, please do it (and know that at least one user will use it - but I think I'm not alone to need it).
Thanks in advance!
|