RE: Safe subset for user contributed web contented

Alexey Feldgendler wrote:
Mike Schinkel  wrote:
> > I don't know if this can be incorporated into the same
> > initiative, but providing a safe subset for user
> > contributed web contented could be very useful IMO,
> > such as for forum posts and blog comments.
> > 
> This is an interesting aspect, but I'm afraid that in
> this area there can't be common rules. If you look at the
> subsets of HTML that different blogging and other similar
> engines allow, you will find great variations. Some of
> them are dictated by security concerns (e.g. LiveJournal
> allows a carefully restricted subset of Flash objects to
> be embedded from sites like YouTube, while most others
> disallow these completely). Others depend on stylistic
> requirements: there are sites that allow great freedom in
> user-supplied formatting, while others require that
> user-submitted content generally fits into the visual
> style of the site, so its appearance shouldn't be
> modified too much with e.g. style attribute.
> 
> Also, some of such engines allow their own extra
> elements, such as LiveJournal's <lj user="name">.

I reject your assertion that the variation invalidates the utility.  I
suggested a common yet secure subset, not one that attempts to control
stylistic aspects. And most variations deviate because there is no well
known secure standard subset that they can use instead.

Having a secure subset would by no means dictate styling, disallow sites
supporting an even smaller subset, or even force them to support the subset
if they did not want to. What it would do is make it easier to implement a
secure subset w/o fear they are opening themselves up to being hacked.

-- 
-Mike Schinkel
http://www.mikeschinkel.com/blogs/
http://www.welldesignedurls.org
http://atlanta-web.org - http://t.oolicio.us
"It never ceases to amaze how many people will proactively debate away
attempts to improve the web..."

Received on Tuesday, 27 February 2007 00:00:16 UTC