[wp-hackers] HTML Purifier

Edward Z. Yang edwardzyang at thewritingpot.com
Wed Feb 14 11:52:54 GMT 2007

Hash: SHA1

Mike Little wrote:
> For me tag balancing (balance_tags) and tag filtering (kses) are two
> separate processes - and you don't always want both.

That's an interesting view. Could you tell me when you would only do tag
filtering and not tag balancing? Tag balancing is crucial, because
otherwise an attacker could totally mess up a layout by </div>ing out of
the box they're in.

> I do[n't] think we need super correctly (x)html purification in the core either
> to me it is the perfect job for a plugin - if people want it they can
> install it.

The trouble with that is the average Joe, who doesn't really care about
standards-compliance and just wants things to work, won't ever do such a
thing. I think WordPress should put itself to a higher standard and
attempt to have 100% compliant code out of the box.

> Without expressing an opinion on the should we/shouldn't we debate, I
> will point out that there is a lot more to XHTML than well-formed XML.
> That is merely the foundation.
> For example if we were to use XHTML strict,
>  <center>some text</center>
> is perfectly formed XML. But it is not allowed in strict XHTML

HTML Purifier's already got it covered: that will become <div
style="text-align:center">some text</div>. You can try it:

- --
 Edward Z. Yang      Personal: edwardzyang at thewritingpot.com
 SN:Ambush Commander Website: http://www.thewritingpot.com/
 GPGKey:0x869C48DA   http://www.thewritingpot.com/gpgpubkey.asc
 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the wp-hackers mailing list