[Zope] Malicious HTML
Evan Simpson
evan@digicool.com
Wed, 8 Mar 2000 08:05:55 -0500
----- Original Message -----
From: Michel Pelletier <michel@digicool.com>
> Graham Chiu wrote:
> >
> > I wish to allow users to enter comments into my database which are then
> > viewable thru the browser.
> >
> > Is there a Zope function that I can pass their text thru to remove all
> > HTML?
>
> Nope. There may be some standard python library module that I don't
> know about, however. Otherwise, you will have to write your own.
On the other hand, if you tell the user up front that HTML tags are not
allowed, you can simply html_quote the text. That will prevent any tags
from rendering, and prevent normal uses of '<>&' characters from breaking
anything.
Cheers,
Evan @ 4-am & digicool