Re: whitelisting HTML tags

[Adam Shostack <adam () homeport org>]

On Mon, Nov 07, 2005 at 10:46:49AM -0800, Tim Hollebeek wrote:
|  
| > I'm fond of the BB/Markdown sorts of solutions, which use an 
| > HTML-like language which you translate into HTML.  If your 
| > parser tosses things it doesn't understand, this can be a 
| > good solution to the (often real) requirement of "we need to 
| > let users enter more than plain text."
| 
| You're proposing a small language L where the input is translated
| into a safe subset of HTML if the input is in L, and rejected otherwise.
| 
| What are the advantages of this over the special case L = the safe
| subset (and the translation is the identity function), which we were 
| discussing?

It seems to me simpler to say [b] becomes <b> than to worry if <b> can
take an argument.  

It's also harder for someone to come along and transform it from a
whitelist function to a blacklist function without properly
considering the security implications.  User input functions will
break, and so QA will more easily notice the shift.

Adam