Support » Requests and Feedback » Remove non-allowed HTML on comment output rather than on comment save

  • When someone leaves a comment with non-allowed HTML (such as <table>), it’s stripped BEFORE it’s inserted into the database.

    IMO, it should be stripped by the function before it’s displayed instead. This way, if someone decides to change what tags are allowed in their comments, previously non-allowed by now allowed tags will be displayed.

    This will also allow <code> formatting plugins to allow commenters to post code that uses non-allowed tags without having to manually replace < and >.

    Or can someone think of a drawback to allowing non-allowed HTML into the database? I mean, some plugins may be affected that manually grab the content of a comment from the database, but they’d just need to run the comment content through the stripping function(s) first.

Viewing 1 replies (of 1 total)
  • <MCincubus> Viper007Bond, could be dangerous… leaves more possibilities for malicious code getting out

    Now that I think of it, I agree. It’s too risky.

    Nevermind then. 🙂

Viewing 1 replies (of 1 total)
  • The topic ‘Remove non-allowed HTML on comment output rather than on comment save’ is closed to new replies.