Remove non-allowed HTML on comment output rather than on comment save (2 posts)

  1. Alex Mills (Viper007Bond)
    Posted 10 years ago #

    When someone leaves a comment with non-allowed HTML (such as <table>), it's stripped BEFORE it's inserted into the database.

    IMO, it should be stripped by the function before it's displayed instead. This way, if someone decides to change what tags are allowed in their comments, previously non-allowed by now allowed tags will be displayed.

    This will also allow <code> formatting plugins to allow commenters to post code that uses non-allowed tags without having to manually replace < and >.

    Or can someone think of a drawback to allowing non-allowed HTML into the database? I mean, some plugins may be affected that manually grab the content of a comment from the database, but they'd just need to run the comment content through the stripping function(s) first.

  2. Alex Mills (Viper007Bond)
    Posted 10 years ago #

    <MCincubus> Viper007Bond, could be dangerous... leaves more possibilities for malicious code getting out

    Now that I think of it, I agree. It's too risky.

    Nevermind then. :)

Topic Closed

This topic has been closed to new replies.

About this Topic