On Thu, 12 Jul 2001, Ausum wrote:
I need my local users to create content using html tags within a textarea, but I don't want them to include links to external images resources.
My idea is to enable a filter that looks for the "http://www.whatever_ext_site.com" string within the img tag, and then erase it before posting the whole form data to the proper method.
Is there a simple way for doing this? (If not, what is the hard way? :) )
The hardway would be to parse html yourself using sgmllib and remove img tags.
Just be careful Ausum, you might end in a world of pain if your users get ambitious: <div onMouseover="document.write(unescape('%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%7a%6f%70%65%2e%6f%72%67%2f%49%6d%61%67%65%73%2f%7a%6f%70%65%6c%6f%67%6f%2e%67%69%66%22%3e'))"> touch me </div> or <object data="http://www.zope.org/Images/zopelogo.gif" type="image/gif>></object> There are also many ways of obfuscating URLs, <img src="http://yourlocalhostname@1063661857/Images/zopelogo.gif> cheers, oliver