Plain text comments
Posted on August 04, 2003 @ 12:59 in Sitestuff
In a comment to a post at Feministe referring to this blog, Annie J. complains that I don't allow HTML in the comments. The primary reason for not allowing HTML in comments is that it is a potential security risk. If you allow all HTML tags in your comments, then people can try to insert scripts or automatic redirects in the comments, which could cause problems for the webserver (because now the script is running on the same machine as for instance your blog tool), or the visitors, who fall victim to said scripts or redirects.
Not allowing any HTML is the simple answer and I feel that not much is lost in terms of usability or expression that way. Filtering (additional filter link) all submitted content would make the use of a restricted set of HTML tags in comments possible, and I may spend some time implementing it, but imho it doesn't add much to the site. The moral of the story? Be aware of what you let others contribute to your site ;-)
Comments and Trackbacks
Simon Willison has an excellent php class for validating comments, which I plan to nick when I get round to rebuilding my site :)
http://simon.incutio.com/archive/2003/02/23/safeHtmlChecker
Posted by insin on August 06, 2003 @ 17:19
Post a comment
Comments and trackbacks have been closed on this site. My apologies.
Since MT-Blacklist inexplicably stopped working I had no other recourse than close comments and trackbacks to stop the spam. I've been meaning to correct this for quite a while, but life got in the way... in a good way I should add.