October 9, 2002

Brad Choate's 'Sanitize' plugin for MT

Christian Crumlish

Apparently if an MT blog allows HTML in comments and uses an executable file extension (such as .php or .shtml) this opens up a security risk from code that could be inserted into a comment. Brad Choate has released a plugin called Sanitize that enables MT users to exclude all but a specified list of HTML tags in comments:

[T]he quick fix to this problem is to disallow HTML comments. But if you want to keep your HTML comments and strip them of unsafe tags, you can use the Sanitize plugin to clean them up. Here's how you might use it:


<MTCommentBody sanitize_html="a href,b,br,p,strong,em,ul,li,blockquote">


The tags listed in the 'sanitize_html' attribute are the tags that are allowed. Any tags not listed will be removed. In addition, the JSP, ASP, PHP and SSI markups are automatically stripped out to prevent abuse. Attributes must also be specified (as of the 1.1 update).

Posted by xian at October 9, 2002 10:11 AM
Other incoming links (via Technorati)

Hosted by Mediajunkie.

Sponsors
On this day in 2003
AmphetaDesk-to-MT hack details: Ask and ye shall receive (thank you, o lazyweb): Andrew Bayer provides the first draft of his AmphetaDesk-to-MT hack in a post responding to my previous entry (which he, yes, saw in his aggregrator and cross-posted to his blog). I think the blockquoting convention Andrew added is an improvement! I wish... (Syndication)
Hooking up AmphetaDesk to Movable Type: Salon blogger Andrew Bayer has recently migrated his weblog from Radio to Movable Type, which lacks a built-in posting aggregrator. To remedy this, he has figured out a way to hook up Amphetadesk to MT. Very nice. Andrew, did you have to hack AmphetaDesk or MT or both? Either way, please... (Syndication)