Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63203
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54860 invoked from network); 20 Sep 2012 13:13:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Sep 2012 13:13:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:43947] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 08/CA-15057-4961B505 for <internals@lists.php.net>; Thu, 20 Sep 2012 09:13:56 -0400
Received: by pbbrp8 with SMTP id rp8so5017029pbb.29
        for <internals@lists.php.net>; Thu, 20 Sep 2012 06:13:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=qKEsmF/lgU8ZL+41OW3WiN1VQGMy702Owjto13o4M6Q=;
        b=sFPvdMizLQwUULiK2uFWFnuQL4UfNSdtnFLfIsONDdJvOVKldz8RzX8UBSU1Hy9Ubr
         fOd5TmpiMn+phU+4SvWySZqrIqdHfz78U5c6FENSQQkufdGdno5k5YUgjtbRmxBKB7ad
         s5T5tanu7pzs/RokffIBA2UlSh+vtN1e81LfbSXooh/WoRsS58mav+8OI24043vVD2Rt
         mogPk5+qKOnFeQ9bF/XGii3lOHslL38Zmo8vXTCyHyFR1X+8Eg8Ff5jpn1thEIGWfCSZ
         aaWoCsKeR5HCr2CnHhhuYrZQgO/4LtjlBRl8fOaJgft11A51YcxE0fcmKCojACPSVvVD
         IGdg==
MIME-Version: 1.0
Received: by 10.68.194.165 with SMTP id hx5mr6896847pbc.40.1348146833461; Thu,
 20 Sep 2012 06:13:53 -0700 (PDT)
Received: by 10.68.54.68 with HTTP; Thu, 20 Sep 2012 06:13:53 -0700 (PDT)
In-Reply-To: <CAPwsocFUeCaPG-sx5fuGh__bkJPdV7k25NcXpnJkyvNK+ZBWfg@mail.gmail.com>
References: <505AEB97.8010303@lsces.co.uk>
	<CALwr1GkYQ9D1ucU_dL2hBoDNKaei+wA8Q=sD=VaGC=LakBjuHg@mail.gmail.com>
	<505B124A.8070309@lsces.co.uk>
	<CAPwsocFUeCaPG-sx5fuGh__bkJPdV7k25NcXpnJkyvNK+ZBWfg@mail.gmail.com>
Date: Thu, 20 Sep 2012 15:13:53 +0200
Message-ID: <CAH-PCH5UDvWZRq62V3YF+msap=ia62_zAStr0Sz2MzbWKsHzaQ@mail.gmail.com>
To: Leigh <leight@gmail.com>
Cc: Lester Caine <lester@lsces.co.uk>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b10caf31d10fd04ca21e5db
Subject: Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape
From: tyra3l@gmail.com (Ferenc Kovacs)

--047d7b10caf31d10fd04ca21e5db
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 20, 2012 at 3:09 PM, Leigh <leight@gmail.com> wrote:

> > My whole point here is identifying WHAT needs 'escaping'. You can't
> simply
> > 'escape' the output stream, you still want html tags to get out?
>
> This problem is specific to YOU, because (as far as I understood your
> previous post) you decided to store big chunks of HTML in your data
> store. It is not a problem with this proposal, or a problem in
> general.
>
>
more specifically: accepting HTML, but trying to allow some of the tags but
still filtering most of it.
HTMLPurifier is the tool for this kind of job, but most people would
recommend using some kind of alternative markup format, like
BBCode<http://en.wikipedia.org/wiki/BBCode>
.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--047d7b10caf31d10fd04ca21e5db--