Comments for Sanitize Plugin

Comment from Phil Ringnalda on 2002-10-03

2002-10-03T19:14:35Z

How about stripping attributes from allowed tags (well, not href from a, but other than that)? I don't mind letting people make things bold, but I'd just as soon they don't make them style="color:lime; font-size:80px"]]>

Comment from Brad Choate on 2002-10-03

2002-10-03T19:26:29Z

You could do that using the Macro plugin. Ie:

Then for your CommentBody tag:

]]>

Comment from l.m.orchard on 2002-10-03

2002-10-03T22:01:45Z

Hey there... I've got a similar plugin to this (MTCleanHTMLPlugin), based on code I borrowed from LiveJournal. One thing that they do that would be good to consider is extensive filtering out of javascript-enabling atttributes (ie. onclick, onmouseover, etc). Nasty things have been known to happen down that road. You could probably do something like that fairly simply by having a list of allowed attributes per tag, as well as allowed tags.]]>

Comment from Eduardo on 2002-10-05

2002-10-06T03:11:35Z

Brad, Great plug-in! Just a couple of comments:

1. It closes tags that don't need to be closed, like the image tag.

2. It closes tags after the closing closing paragraph tag added by MT, so that the order of tags is not standard, i.e., p b /p /b, rather than p b /b /p.

3. If there's a br tag in the line, it doesn't close the b tag.

I don't know if all this matters to the Web browser, so maybe it's not that important.

]]>

Comment from girlie on 2002-10-05

2002-10-06T03:21:06Z

Sorry about those double pings - the first time I saved the entry, the URL stayed in the box as though the ping had failed - at least, I thought that's what it meant. Hmmmm.]]>

Comment from Minh Nguyễn on 2002-10-06

2002-10-07T01:27:55Z

Hi! I’m currently configuring my blog to use your plugin, but I was wondering:

My website uses XHTML. So I was wondering if your plugin supports elements from other namespaces, like xml:lang.

Thanks for making this plugin!

— minger

]]>

Comment from michel v on 2002-10-06

2002-10-07T02:50:51Z

Erm, it's not a problem with HTML. It's a problem with Movable Type, for God's sake. Its comments section is insecure out of the box.
And with its thousands users... it only took almost a year to notice MT allowed just anything to pass without first checking it's secure ? I don't mean to badmouth MT, for in my mouth it would sound very biased, but please... LMAO, this is incredible :P
Thank God (or Rasmus and friends) for PHP's strip_tags() function, which does just what you did.

By the way, I just noticed you should also change any style, class, id attribute into a safer title attribute in the comments. This avoids defacements such as this one.
(OK, so b2 was vulnerable to such ridicule 0wnage too until tonight, but at least it doesn't come with a giant security issue in the comments form by default, eheh ;)

]]>

Comment from Ben on 2002-10-07

2002-10-07T08:50:37Z

michel -- MT is *not* insecure out of the box. By default, all files have the extension .html. There may be some obnoxious Javascript tricks that could be pulled using that configuration, but certainly nothing like the things you can do with PHP, SSI, etc.

Now, it's true that the documentation could have been more clear about the dangers of using .php and .shtml as file extensions *with* static comments, but to say that this insecurity exists out of the box is completely false.

]]>

Comment from michel v on 2002-10-07

2002-10-07T10:26:32Z

OK, I retract that statement about MT being insecure out of the box.
But just because files have the extension .html by default doesn't mean comment data shouldn't be sanitised by default before being inserted in the database, don't you think ? :)]]>

Comment from Ben on 2002-10-07

2002-10-07T19:29:44Z

Actually, it is (well, it's sanitized before being displayed on a public page, at least).

Another default in a new MT blog is that HTML in comments is not allowed. So by default, all HTML in comments is completely stripped out--this includes both valid HTML tags and PHP/SSI/JSP/etc.

So in order to make it insecure you actually have to change the file extensions *and* check "allow HTML in comments". I forgot to mention that last night.

Anyway, yes, Brad's plugin is great, and it definitely fills a need.

]]>

Comment from TeledyN on 2002-10-10

2002-10-10T18:30:13Z

Do you take plugin requests? ;) ... I'd like to propose a de-sanitizer (defiler??) that basically goes the otherway, it takes straight text and produces HTML. Since you've posted a geekcode ;) then the technical word for what I would most like to see is a WikiText plugin.

This would seem most similar to your santizer, and I think folding the easy-markup of WikiText into blogspace would open up blogging for a lot more people. We just need to look at the size of Wikipedia to see that everyday people have no trouble with WikiText, but there's no way we're going to get more than 10% of the population using inline HTML.

what do you think? doable? desireable?

]]>

Comment from Sam on 2002-10-16

2002-10-17T00:13:36Z

A suggestion that occurred to me recently. I've noticed that when people post HTML comments, and accidentally put in a line break (by pressing enter while typing, not with a
tag) in the middle of a tag, stuff stops working. For example, an image might not display, or other annoying things like that.

I'm pretty sure it would be an easy fix that could tie in nicely with the checking for a close tag, but I'm a perl retard, and thus cannot implement it myself.

Just a suggestion :)

]]>

Comment from Norm Jenson on 2002-10-31

2002-10-31T10:20:59Z

A question from a novice. After creating the directories and installing the files Is it correct that I replace with in the comment template]]>

Comment from nardo on 2002-11-27

2002-11-27T11:42:57Z

An error occurred:

bradchoate/sanitize.pm did not return a true value at plugins/sanitize.pl line 28.

this is my code:

recognise this error?

thanks, nardo

]]>

Comment from Brian on 2002-12-03

2002-12-04T00:59:30Z

I think this plugin is stripping the target from my href's. The target="_blank" exists in the comment entry but is not getting through to the HTML. Do I need to include something for target in my allowable tags? I tried including target already.]]>

Comment from girlie on 2003-02-02

2003-02-03T02:14:27Z

Quote:

"One more feature of the Sanitize plugin is that while it scans the HTML for tags, it keeps up with which tags have been opened and closed. By the end of the data, if there are any tags that weren’t closed, it will append closure tags for each of them."

Can this be refined a bit? I'm having a little trouble, which is easiest explained by pointing you to the second page of this support forum thread. It may be closing a tag for me prematurely?? Or do you think it's something else causing this?

Thanks! Love the new site, btw!

]]>

Comment from Garrett on 2003-02-20

2003-02-20T23:07:52Z

To allow the target tag, put this in your allowed tags:

a href target

Additionally, you can include title as well, allowing someone to create a full link.

]]>

Comment from Jason on 2003-03-28

2003-03-29T02:51:16Z

What's the correct way to declare a singular tag with attributes?

img src width height alt/

img/ src width height alt

]]>

Sanitary comments

2002-10-03T20:58:17Z

The Sanitize plugin improves security for outside HTML on Movable Type Weblogs.

Deny everything

2002-10-03T21:20:56Z

When thinking security, only open what is neccessary. Block everything else, including the unknown.

MTCleanHTMLPlugin has a "competitor"

2002-10-03T22:04:58Z

Like the MTCleanHTMLPlugin I released a little while ago, Brad Choate's new MT Sanitize Plugin appears to do the same job. I haven't tried it yet, but since I'm using a pile of Brad's plugins and have based all of mine upon his examples, I'm assuming i...

sanitize plugin

2002-10-04T04:41:13Z

Worried about people posting malicious code in your comments, but still want the functionality of HTML enabled comments?? You might

Sanitize Plugin: para limpiar los abusos de HTML en los Comments.

2002-10-04T19:31:04Z

No es ninguna mala idea, Sanitize lo debe hacer bien... limpiar todo tipo de errores que la gente escribe en

/bradchoate/ is the funniest subdirectory on my server.

2002-10-05T13:47:35Z

OH MY GOD IT DIDNT WORK! It worked in the "preview" thing, I swear!!! If you didn't watch the Amazing

sanitize plugin

2002-10-06T02:20:30Z

Get thee post haste to Brad Choate's site and pick up the MT Sanitize plugin! Apply to all of your

Sanitized for our protection

2002-10-08T05:33:05Z

New MT plugin added here: Brad Choate's Sanitize Plugin. If all goes well, you shouldn't notice anything a'tall. But I

Calling security ...

2002-10-09T16:16:16Z

Haven't installed MT 2.5 yet, but I found something I'll be installing at the same time: Brad Choate's Sanitize Plugin.

Just a Tip...

2002-10-13T18:17:24Z

I have seen posts around the weblog world about people signing up for NaNoWriMo. (No, I am not one of

Now with 23% More Functionality!

2002-10-24T03:07:59Z

Remember that unpleasantness from early October? Sometime around then I disabled HTML in comments to this site (because I don't want to have to look at a man's gaping asshole

sanitize plugin

2002-11-20T04:11:53Z

Worried about people posting malicious code in your comments, but still want the functionality of HTML enabled comments?? You might

Sanitize your comments

2002-11-22T05:26:34Z

Theory had it today was supposed to be concentrating on sorting out the XHTML validation issues that I've got on

plugin maddness

2002-12-12T23:20:44Z

i have been working like mad installing a number of scripts and movabletype plugins to

PHP and more

2002-12-15T14:46:28Z

My page now has a .php extension. I've probably been living under a rock, but I had no idea you

Blog: How My Blog Works

2002-12-19T23:11:24Z

How my blog works, what software (and plugins) are used and how it all sticks together.

MT sanitize plugin

2002-12-20T02:49:46Z

http://www.bradchoate.com/past/mtsanitize.php

No Explosions At My House

2002-12-20T09:48:59Z

After hearing about Spring ninety thousand times from people that really should know what they're talking about I wandered over

Now with 23% More Functionality!

2003-01-02T20:56:53Z

Remember that unpleasantness from early October? Sometime around then I disabled HTML in comments to this site (because I don't want to have to look at a man's gaping asshole

So far, so good

2003-01-04T14:39:31Z

Happily, the move seems to have worked. I was able to see the new server less than 24 hours after changing the DNS. It's such a relief to be on a Linux server instead of IIS—the support people at my previous host were excellent but I love being a...

Do you have protection?

2003-01-12T05:42:51Z

For my MT buddies:: I'm not all up on the bad that can happen through allowing HTML in comments, but better to be safe than sorry right? I installed Brad Choate's Sanitize Plug-in and it was pretty simple going. You guys may want to look into it, if yo...

ctrl+c ctrl+v

2003-01-14T06:38:08Z

i've been a happy little copy and paster the last couple of days. i finally got around to installing the

there's a hole in your blog

2003-01-14T09:48:09Z

well, there might be. if you allow HTML in your comments, you could have the same thing happen to you

http://retrogra.de/archives/2003/01/26/.html

2003-01-26T21:07:52Z

Und wieder zwei kleine Updates vollendet. Zum einen die "Top 20 Referrers" auf der Indexseite und auf den Seiten der

Pay no attention to that man behind the curtain

2003-01-26T21:09:05Z

Und wieder zwei kleine Updates vollendet. Zum einen die "Top 20 Referrers" auf der Indexseite und auf den Seiten der

Movable Type version 2.6 is just around the corner

2003-01-29T18:04:19Z

Rogue Tags, Serendipitous Plugins

2003-02-02T11:40:44Z

So I had a major adventure posting yesterday's message, and made an entirely uninformed decision that it happened because the

Movable Type 2.6

2003-02-15T02:58:13Z

Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT

Movable Type 2.6

2003-02-15T03:00:09Z

Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT

Movable Type 2.6

2003-02-15T03:04:17Z

Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT

Movable Type 2.6

2003-02-15T21:29:16Z

Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT

Movable Type 2.6

2003-02-15T21:53:09Z

Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT

Movable Type 2.6

2003-02-15T21:58:34Z

Movable Type 2.6 was released today and I just upgraded to the new version. Since I spread the different MT

Sanitize Usage

2003-02-21T19:03:39Z