----- Original Message ----- From: Christopher Petrilli <petrilli@digicool.com>
Evan mentioned XML-based, but I think that's a bit heavy, unless it's sgmlop based, perhaps? Other ideas? I like the idea of a minimal set of tags (A, B, I, EM, BR, P, UL, OL, LI perhaps?) that are allowed, all else is verbotten... any other scheme is a "bad thing" :-)
Having now read the advisory and the slashdot discussion which followed, I now see that you have to be a little more draconian than this, even. You need to make sure that those tags are *really* bare (no onAnything="javascript:argh") and take special care with anchor hrefs. Whether sgml or xml-based, parsing shouldn't be too much of a burden unless you get a *lot* of content submitted. You only need to do it once per submission, after all, and only if it contains '<>&'s. Happily, the default Zope error page doesn't seem to have the 404 exploit exposed on slashdot. Cheers, Evan @ 4-am