Page 1 of 1

Problems with Event Plugin "Transforms HTML for comment

Posted: Sat Dec 01, 2007 5:27 am
by jerrygarciuh
Hello,

First post here. We have the "Transforms HTML for comments" as the first plugin in the "Active" column under "Event Plugins". It has "All Authors" selected.

However the warning "HTML-Tags will be converted to Entities" still appears on the comment form and they are converted. We cannot post images or links in out comments.

Can anyone tell me what I need to do to activate or configure this plugin?

Thanks!

JG

Re: Problems with Event Plugin "Transforms HTML for com

Posted: Sun Dec 02, 2007 3:46 pm
by garvinhicking
Hi!

That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.

There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.

REgards,
Garvin

Re: Problems with Event Plugin "Transforms HTML for com

Posted: Sun Dec 02, 2007 5:50 pm
by jerrygarciuh
garvinhicking wrote:Hi!

That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.

There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.

REgards,
Garvin
Hi Garvin,

Thank you very much for taking the time to respond to my question!

As you may know the LiveJournal Perl code has managed to allow for HTML in comments while managing to keep out JavaScript and CSS hacks. I know many people consider PHP to be an inherently less secure way of delivering multi-author documents. Is that your opinion also?

JG

Re: Problems with Event Plugin "Transforms HTML for com

Posted: Sun Dec 02, 2007 10:33 pm
by garvinhicking
Hi!

I simply have not yet seen a PHP method/function to strip out dangerous HTML. Hacks are always evolving, so I don't really believe in a secure way of allowing HTML.

IMHO it's not a matter of Perl vs. PHP. What can be done in Perl can also be done in PHP.

Are you sure the LJ Perl lib is completely secure? Even against UTF-7 CSS-Injections or <embed>-Tag abuse?

Regards,
Garvin

Re: Problems with Event Plugin "Transforms HTML for com

Posted: Mon Dec 03, 2007 7:50 pm
by jerrygarciuh
garvinhicking wrote:Hi!

That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.

There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.

REgards,
Garvin
Hi Garvin,

I see mention in various places of the bbcode plugin but a search of http://spartacus.s9y.org/index.php?mode ... s_event_en and http://spartacus.s9y.org/index.php?mode ... sidebar_en
does not show me the plugin.

I have gone over the admin looking for a non-plugin control for this but it does not seem to be present.

Can you advise?

JG

Re: Problems with Event Plugin "Transforms HTML for com

Posted: Tue Dec 04, 2007 10:09 am
by garvinhicking
Hi Jerry!

The BBCode plugin comes with Serendipity by default, no need to download it anywhere. You can install it straight ahead.

HTH,
Garvin

Re: Problems with Event Plugin "Transforms HTML for com

Posted: Tue Dec 04, 2007 8:31 pm
by jerrygarciuh
garvinhicking wrote:Hi Jerry!

The BBCode plugin comes with Serendipity by default, no need to download it anywhere. You can install it straight ahead.

HTH,
Garvin
Hi Garvin,

Thanks for all the help! When I had't seen it in my admin I had done a search for Event plugins and not seen it but now I searched for Markup and foound it.

Really appreciate you having taken time with me!!

Peace

JG

Posted: Thu Dec 06, 2007 9:12 pm
by judebert
Hey, Garvin. I'm back for a few hours, and I figured I'd make your life miserable. Sorry.

I've always had problems with the "insecure HTML" premise. After all, the real reason BBCode is "secure" is because it does only a subset of what HTML can do. Slashdot allows HTML in its comments; I think we could, too. As long as we restrict it to a subset of HTML.

For instance, I'd allow only a few formatting tags: P, BR, I, B, U, QUOTE, CODE, IMG, UL, OL, and LI. I'd refuse all parameters: no style=, size=, or anything else. I'd make a single special exception to include the A tag, which must have an href.

If anything fails the very simple formatting rules, it gets HTML-escaped, just like the rest of the comment does. No OBJECT, EMBED, or SCRIPT tags allowed. Not to mention DIV and SPAN, which are pretty useless without their class attributes.

Isn't this what BBCode does, but using [] instead of <>? What's so special about the HTML, other than being more pointy?

Posted: Thu Dec 06, 2007 11:19 pm
by garvinhicking
Hi!

They easier allow to make invalid HTML. Imagine if someone enter's "<br>", this must be converted to "<br />". And then, it must also allow "<br />" as an input. Same with "<p>" - it might have a closing "</p>", but people might forget this.

Allowing HTML, even a subset, is like opening Pandora's Box. $0.02.

Regards,
Garvin