Monday, November 26, 2007

Discussion in the showmedo.com google group led to determine the core reason why HTML enabling in Forums or just any posting box in any site, is risky.

excerpt from wikipedia.org, searched for BBcode:


"BBCode was devised to provide a safer, easier and more limited way of allowing users to format their messages. Programmer convenience was certainly another factor, as BBCode is very simple to implement.[citation needed] Previously, many message boards allowed the users to include HTML formatting, a side effect of which was that malformed HTML could disrupt the page's layout, or HTML could be used to run JavaScript leading to XSS attacks. Some implementations of BBCode have suffered problems related to the way they translate the BBCode into HTML, which could negate the security that was intended to be given by BBCode. An alternative is a properly written HTML filter (many of which are freely available)."

And if an HTML filter is implemented, lots of time and experimentation is needed, but since showmedo.com has other priorities, RST is the lightweight markup language used, also because Python libraries are available for implementation with RST.

No comments: