Configuration Ideas

Here are some theoretical configuration ideas that we could implement some
time.  Note the naming convention: %Namespace.Directive

%Attr.IDPrefix - prefix all ids with this

%Attr.RewriteFragments - if there's %Attr.IDPrefix we may want to transparently
    rewrite the URLs we parse too.  However, we can only do it when it's a pure
    anchor link, so it's not foolproof

%Attr.ClassBlacklist,
%Attr.ClassWhitelist,
%Attr.ClassPolicy - determines what classes are allowed. When
    %Attr.ClassPolicy is set to Blacklist, only allow those not in
    %Attr.ClassBlacklist. When it's Whitelist, only allow those in
    %Attr.ClassWhitelist.

%Attr.LangAlphaOnly - designate whether or not to allow numerals in language
    code subtags
    * RFC 1766, the current standard referenced by XML, does not permit
        numbers, but,
    * RFC 3066, the superseding best practice standard since January 2001,
        permits them.
    We allow numbers by default, but you generally never see them
    at all, which makes this a little more sane.

%Attr.MaxWidth, 
%Attr.MaxHeight - caps for width and height related checks.
    (a hack in Pixels for an image crashing attack could be replaced by this)

%URI.Munge - will munge all URIs to a different URI, which should redirect
    the user to the applicable page. A urlencoded version of the URI
    will replace any instances of %s in the string. One possible
    string is 'http://www.google.com/url?q=%s'. Useful for preventing
    pagerank from being sent to other sites

%URI.AddRelNofollow - will add rel="nofollow" to all links, preventing the
    spread of ill-gotten pagerank

%URI.RelativeToAbsolute - transforms all relative URIs to absolute form

%URI.HostBlacklist - strings that if found in the host of a URI are disallowed
%URI.HostBlacklistRegex - regexes that if matching the host are disallowed
%URI.HostWhitelist - domain names that are excluded from the host blacklist
%URI.HostPolicy - determines whether or not its reject all and then whitelist
    or allow all in then do specific blacklists with whitelist intervening.
    'DenyAll' or 'AllowAll' (default)

%URI.DisableIPHosts - URIs that have IP addresses for hosts are disallowed.
    Be sure to also grab unusual encodings (dword, hex and octal)

%URI.DisableExternalResources - disallow resource links (i.e. URIs that result
    in immediate requests, such as src in IMG) to external websites