Edgewall Software

Changes between Version 75 and Version 76 of GenshiTutorial


Ignore:
Timestamp:
Sep 4, 2007, 9:42:53 PM (12 years ago)
Author:
cmlenz
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GenshiTutorial

    v75 v76  
    14241424This parses the comment text, runs it through the sanitizer, and serializes it to XHTML. And the result of the transformation is what we'll save to our “database”. Why are we using XHTML here, when we actually use HTML almost everywhere else? Well, we want to be able to include the comment text in Atom feeds, too, and for that they'll need to be well-formed XML.
    14251425
     1426 '''Note:''' this is just one way to add sanitization. Another equally valid approach would be to store comment submissions exactly how they were entered, and sanitize them when they are displayed. Or you could have two fields in the model: one to store the text as originally submitted, and the other to store the sanitized content ready for display. Which method you choose depends on the needs of your particular application. Or, if you were really paranoid, you'd sanitize both the input and the output.
     1427
    14261428You may want to try performing some XSS attacks by including malicious HTML markup in comments. Try some of the methods shown on the [http://ha.ckers.org/xss.html XSS Cheat Sheet]. You should not be able to get past the sanitizer; if you are, please [/newticket let us now].
    14271429