WebApp Sec mailing list archives

RE: whitelisting HTML tags

From: "Tim Hollebeek" <tholleb () teknowledge com>
Date: Mon, 7 Nov 2005 10:46:49 -0800

I'm fond of the BB/Markdown sorts of solutions, which use an 
HTML-like language which you translate into HTML.  If your 
parser tosses things it doesn't understand, this can be a 
good solution to the (often real) requirement of "we need to 
let users enter more than plain text."


You're proposing a small language L where the input is translated
into a safe subset of HTML if the input is in L, and rejected otherwise.

What are the advantages of this over the special case L = the safe
subset (and the translation is the identity function), which we were 
discussing?

-Tim

Current thread:

Re: whitelisting HTML tags, (continued)
- Re: whitelisting HTML tags Tomek Perlak (Nov 02)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
  - Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
  - RE: whitelisting HTML tags RSnake (Nov 03)
  - Re: whitelisting HTML tags Tim (Nov 03)
    - Re: whitelisting HTML tags Adam Shostack (Nov 04)
    - Message not available
    - Re: whitelisting HTML tags Adam Shostack (Nov 07)
    - RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
    - RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
- RE: whitelisting HTML tags Evans, Arian (Nov 03)
- RE: whitelisting HTML tags Ory Segal (Nov 03)