[Haskell-cafe] Re: the Network.URI parser
peteg42 at gmail.com
Wed May 28 03:49:11 EDT 2008
On 28/05/2008, at 12:28 PM, Miguel Mitrofanov wrote:
>> I am taking comments on a web forum from arbitrary people. The
>> interpretation of the HTML occurs at the user's browser. A lot of
>> people will be using outdated browsers (IE 5.5 / 6), ergo security
>> (at the source) becomes my problem. I cannot force them to upgrade
>> their browsers.
> I think this is very wrong for two reasons. First of all, the more
> web sites care of old browsers, the later people will upgrade them,
> therefore preventing the progress in Web (though IE 5.5 is not THAT
> old and bad, so this argument is not so strong). In Russia we some
> times say that a user with an outdated browser is an EPTH (Evil
> Pinocchio To Himself, don't ask me about source of this term).
I am not encouraging people to stick with IE 5.5, I am trying to
prevent them from being exploited when visiting my site. It is a good-
faith-best-effort, not something I will formally prove.
> Secondly, I don't think that filtering HTML coming from an arbitrary
> user is a good idea. HTML is not very human-readable and too complex
> to achieve real safety without lots of work. My suggestion is to use
> some home-grown wiki-like syntax - it's easier to enter (*bold*
> instead of <b>bold</b>), easier to read (and your users would
> sometimes read their comments before posting - to check
> correctness), and easier to process, since it can't have security
> holes you're not aware of.
Did you read my post? I validate the XHTML against a restricted
variant of the XHTML 1.0 Strict DTD. I want to ensure that if it
validates, it is "safe", as I explained before. I think the "style"
attribute is unsafe, so I can remove it from the DTD. (We can simulate
the effect of "style" by providing pre-made CSS classes and vetting
the "class" attribute.) I am sure you can generalise from here.
As for some other kind of markup: if my users were sophisticated
enough to use something else, then I would use it. The target audience
is not very literate, let alone computer literate.
> But you're right, we are off topic.
Sorry to reply to your post then, I couldn't resist. :-/
More information about the Haskell-Cafe