in reply to Re: Proposal: Adding to Approved HTML Tags
in thread Proposal: Adding to Approved HTML Tags

I can see your point, but from what I understand the allowed HTML tags are checked using a regular expression. Adding a few extra tags would obviously increase the complexity of the regex, but that in itself should not increase the complexity of the site as a whole. I would imagine the current code to fix up broken HTML is much more complex.

The missing tags are obviously not all required, but I would like any semantic meaning behind the text to be allowed. No one would be forced to use the tags, but they would be there for those who want to impart extra metadata about their post.

If nothing else, it would allow a monk to style various parts of a post with more ease.

  • Comment on Re: Re: Proposal: Adding to Approved HTML Tags

Replies are listed 'Best First'.
Re: Re: Re: Proposal: Adding to Approved HTML Tags
by PodMaster (Abbot) on May 06, 2004 at 02:59 UTC
[reply]

      Thanks for the link. (++PodMaster!) If I understand the code correctly, adding new tags would not add new complication since the current code is already table driven. Very cool code.

[reply]
Re: Re: Re: Proposal: Adding to Approved HTML Tags
by eXile (Priest) on May 06, 2004 at 14:06 UTC
    I can see your point as well (always nice in a discussion to understand each others points),

    the thing is that I believe in simplicity, as opposed to 'featuritis'. In my opinion your proposal is in the grey area inbetween.

    I don't agree that just adding a few tags won't increase complexity of this site:

    • Adding other features might become more complex, because you have to take into account more information. Can't think of an example right now, but I hope the scenario is clear
    • These tags might be exploitable in cross site scripting. For instance if the <del>-tag could be used to execute code on your computer, not allowing this tag would be better security-wise. Although the chances for this happening are very small, some browsers have a terrible track record in this field.

[reply]
[d/l]

      I believe we both agree that adding the tags would add complexity to PM. Where we seem to differ is the amount of complexity added, and whether the added benefit of the new tags outweighs the potential problems. Given that the allowed tags appear to be allowed through a table driven process, adding a few new tags would only increase the complexity marginally. (The difference between a table of ten tags and a table of fifty tags in negligible when the code to parse the table of tags is already present.)

      The security implications are a different matter. I can honestly say I did not consider any cross-site scripting problems with the new tags. I would love to hear how the DEL tag could be used to execute code on a computer. My opinion is that the tags proposed above are no more harmful than the CODE, TT, or H3 tags are. An enlightenment would be appreciated.

[reply]
        Hi,

        I didn't say there are cross-site scripting issues known right now, but I think in accepting information from 'untrusted' sources, one can't be paranoid enough. My point is that we don't know how harmful any given tag is because we can't be sure there are no bugs in the browser implementations (<insert rant about non open-sourced software here>). And even open-sourced browsers might contain bugs. Given the fact that in the past even simple things like <img>-tags have been exploitable in certain browsers, makes me think one can not be careful enough. Be prepared for the unexpected.

        And I also am not totally against adding (some of) these tags (after all I don't have to do the coding), I just wanted these thoughts taken into consideration.

[reply]
[d/l]
[select]

In Section Perl Monks Discussion