[Zope] Two issues for Z2.2: XHTML & malicious tags
Alexander Limi
alexander@limi.net
Fri, 2 Jun 2000 22:14:00 +0200
Evan Simpson:
> I've got a rather crude module going which parses an input string for
> HTML-ish tags. It allows only tags from an explicit list, and
> ensures that
> non-empty tags are closed (either by complaining or adding closing tags).
> If 'script' is not one of the allowed tags, it also disallows all "On*"
> attributes and "javascript:*" attribute values in any tag.
>
> Unfortunately, it isn't very efficient (based on sgmllib.py) and is rather
> crude. I had wanted to make it use SAX to do the parsing, so
> that sgmlop or
> another high-performance library could be plugged in, but never got there.
> Also, it has no DTML-level interface; you'd have to wrap it in an External
> Method to use it from DTML.
>
> I've gone ahead and put it up at
> http://www.zope.org/Members/4am/SafeHTML to see if anyone can
> make anything of it.
This looks a lot like the code I have lying around, only yours is more
comprehensive and user friendly :)
Anyway, I assume you are familiar with SAX for Python?
http://www.stud.ifi.uio.no/~lmariusg/download/python/xml/saxlib.html
It supports sgmlop, like you mentioned.
Your code will do beautifully for our project, we are not dependant upon
fast code in that specific part. Thanks a lot.
Now, can somebody tell me how to help Zope with spitting out XHTML
1.0-compliant tags? :]
--
Alexander Limi
alexander@limi.net