#1 2016-07-30 10:55:53

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

sanitize HTML

I've been playing with sample 30 (MVC Server) and noticed it's lacking much of a UI for editing blogs. www.salesforce.com have released some open source projects which look very professional and could help provide a javascript/html/bootstrap interface:

http://getfuelux.com/ has a pillbox component which could provide editing for tags. It also has a good looking datepicker.

http://beta.quilljs.com/ is a javascript editor which could provide an HTML editing mechanism - I'm sure someone will ask for this.

I guess the difficulty with quill and allowing HTML posts is malicious javascript injection etc. - especially if unknown users make comments.

Would these feature requests for the mustache unit make sense?:

1/ as well as escaped and non-escaped HTML variables could there be a third class of variable which is HTML white-listed-escaped? i.e. allow a few html tags to get through with limited attributes, a bit like quill. Something similar in javascript is http://htmlpurifier.org/. This seems better than BBcode as long as the white list is documented.

2/ hive off the section of code which escapes html in mustache.pas so that SOA functions could do this on-write rather than on-read (or is this premature optimization?).

Offline

#2 2016-07-30 11:40:34

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,131
Website

Re: sanitize HTML

You may do this by defining a helper extension in the mustache context.

Offline

Board footer

Powered by FluxBB