2006-07-23 00:11:03 +00:00
|
|
|
|
|
|
|
|
Security
|
|
|
|
|
|
|
|
|
|
Like anything that claims to afford security, HTML_Purifier can be circumvented
|
|
|
|
|
through negligence of people. This class will do its job: no more, no less,
|
|
|
|
|
and it's up to you to provide it the proper information and proper context
|
|
|
|
|
to be effective. Things to remember:
|
|
|
|
|
|
2007-01-29 17:53:54 +00:00
|
|
|
1. Character Encoding: see enduser-utf8.html for more info.
|
2006-07-23 00:11:03 +00:00
|
|
|
|
2007-01-29 17:53:54 +00:00
|
|
|
2. Doctype: document pending feature completion
|
|
|
|
|
Not strictly necessary, actually. More in-depth discussion once we figure
|
|
|
|
|
out how to get strict loose mode working.
|
2006-07-23 00:11:03 +00:00
|
|
|
|
2007-01-29 17:53:54 +00:00
|
|
|
3. IDs: see enduser-id.html for more info
|
2006-07-23 00:11:03 +00:00
|
|
|
|
2007-01-29 17:53:54 +00:00
|
|
|
4. Links: document pending feature completion
|
|
|
|
|
Rudimentary blacklisting, we should also allow only relative URIs. We
|
|
|
|
|
need a doc to explain the stuff.
|
2006-07-23 00:11:03 +00:00
|
|
|
|
2007-01-29 17:53:54 +00:00
|
|
|
5. CSS: document pending
|
|
|
|
|
Explain which CSS styles we blocked and why.
|
