[Haskell-cafe] Re: the Network.URI parser

Peter Gammie peteg42 at gmail.com
Wed May 28 03:49:11 EDT 2008


On 28/05/2008, at 12:28 PM, Miguel Mitrofanov wrote:

>> I am taking comments on a web forum from arbitrary people. The  
>> interpretation of the HTML occurs at the user's browser. A lot of  
>> people will be using outdated browsers (IE 5.5 / 6), ergo security  
>> (at the source) becomes my problem. I cannot force them to upgrade  
>> their browsers.
>
> I think this is very wrong for two reasons. First of all, the more  
> web sites care of old browsers, the later people will upgrade them,  
> therefore preventing the progress in Web (though IE 5.5 is not THAT  
> old and bad, so this argument is not so strong). In Russia we some  
> times say that a user with an outdated browser is an EPTH (Evil  
> Pinocchio To Himself, don't ask me about source of this term).

I am not encouraging people to stick with IE 5.5, I am trying to  
prevent them from being exploited when visiting my site. It is a good- 
faith-best-effort, not something I will formally prove.

> Secondly, I don't think that filtering HTML coming from an arbitrary  
> user is a good idea. HTML is not very human-readable and too complex  
> to achieve real safety without lots of work. My suggestion is to use  
> some home-grown wiki-like syntax - it's easier to enter (*bold*  
> instead of <b>bold</b>), easier to read (and your users would  
> sometimes read their comments before posting - to check  
> correctness), and easier to process, since it can't have security  
> holes you're not aware of.

Did you read my post? I validate the XHTML against a restricted  
variant of the XHTML 1.0 Strict DTD. I want to ensure that if it  
validates, it is "safe", as I explained before. I think the "style"  
attribute is unsafe, so I can remove it from the DTD. (We can simulate  
the effect of "style" by providing pre-made CSS classes and vetting  
the "class" attribute.) I am sure you can generalise from here.

As for some other kind of markup: if my users were sophisticated  
enough to use something else, then I would use it. The target audience  
is not very literate, let alone computer literate.

> But you're right, we are off topic.

Sorry to reply to your post then, I couldn't resist. :-/

cheers
peter


More information about the Haskell-Cafe mailing list