SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Wizard wonshikee's Avatar
    Join Date
    Jan 2007
    Posts
    1,223
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    Unbreakable HTML

    Hello if I am allowing the user to enter HTML, what would be the best way to prevent from them breaking the HTML of the main page?

    Would an iframe be the best solution? I would prefer no scrollbars on the side, so i'm not sure how else to deal with it.

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    The best solution is to not allow HTML. These forums allow limited markup (font colors, sizes, bold and italic, URLs, lists, quotes, code, etc.) without you ever breaking the HTML of the page. You could also allow only a subset of HTML -- a couple tags you allow while stripping all others.

  3. #3
    SitePoint Wizard wonshikee's Avatar
    Join Date
    Jan 2007
    Posts
    1,223
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman View Post
    The best solution is to not allow HTML. These forums allow limited markup (font colors, sizes, bold and italic, URLs, lists, quotes, code, etc.) without you ever breaking the HTML of the page. You could also allow only a subset of HTML -- a couple tags you allow while stripping all others.
    It is for an auction site, so the ability for users to customize their page is a must. I can't not allow <p> and <div> layers which is what will break the page if they don't close it properly.

  4. #4
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Do whatever eBay does, then. Without having looked, there only seems two realistic solutions:

    1) Attempt to parse the HTML and fix errors (close unopened tags and such)
    2) Take the HTML as is. If they break the page, it's their auction that looks messed up, and they paid for the privilege, so oh well.

    Either way, they'd probably prohibit iframes and at least some JavaScript, as allowing arbitrary code execution from your domain would be dangerous.

    Edit:

    A quick look suggests that's exactly what they're doing.

    Code:
    <script language="javascript" type="text/javascript"><!--
            ebay.oDocument.oPage.createConfig = function()
            {
            var c = this.oDocument.addConfig(new EbayConfig("ViewItem.BlockActiveContent"));
            
            c.iBACVersion = 0;
            
            c.aCustomStrings = ["blockActiveContent","EbayBlockActiveContent","open\\s*\\(","createPopup\\s*\\(","ookie\\s*\\(","\\.\\s*cookie","\\.\\s*location\\s*[=.]","replace\\s*\\(","onerror","<iframe","<ilayer","<frameset","eval\\s*\\(","standardWrite","standardCreateElement","writePersonalHeader"];
            
            c.aTags= [["script","src",ebay.oGlobals.oEnvironment.sIncludeHost],["base","href"],["meta","refresh"],["frame","src",ebay.oGlobals.oEnvironment.sIncludeHost]];
            
            c.aElements = ["frame","script","layer"];
             
            c.aFixedStrings = ["<","<s","<sc","<scr","<scri","<scrip"];
            
            c.aLayerStrings = [[["href","mailto"],["position: absolute;","z-index: 1;"]],[["href","mailto"],["position: absolute;","z-index: 2;"]]];
            
            }
           ebay.oDocument.oPage.createConfig();
    //--></script>


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •