Re: [Phpslash-devel] yet more suggestions for .73...
Brought to you by:
joestewart,
nhruby
Menu
▾
▴
Re: [Phpslash-devel] yet more suggestions for .73...
|
From: Joe S. <joe...@us...> - 2003-05-13 19:01:32
|
On Sat, May 10, 2003 at 07:32:08PM -0400, Luis M wrote:
>
> ummm it seems that posting code to an article causes phpslash to parse the
> code. This makes yet another suggestion for the future release:
>
> #. Do not parse code coming from articles.
>
> Things like having $php variables, or {VAR} containers for templates... They
> should all be escaped if the text comes from an article. That could
> potentially eliminate all types of cross-site scripting and sql-code
> injection that <i>might</i> be lurking in the phpslash code...
>
> At least people should have the option to turn code parsing off, in case
> somebody actually wants to allow this for his/her site.
>
> Suggestions?
>
So let's backup and define what you need to happen when posting
code.
1. text contained in {} should not be parsed. Is this the case with
all story input? I kinda think so. Solutions here can get kind a
goofy. Any suggestions?
2. indenting preserved with <pre> </pre>?
3. html in the code to be converted and not displayed as html?
Instead of just acting during the save process, should this happen
with a button that applies immediately to the form entry field and a
preview? Don't know if it's very feasible or not.
> P.S. For the meantime I'll try to escape as much as I can by hand (as I
> usually do).
>
Do you have to escape it all again if you modify the article?
Joe
|
