Sanitising HTML

It was pointed out to me that comments on my old posts were showing as raw HTML (you know, a sort of \<p>this is a comment\</p> sort of thing). I knew this. However, the reason it was like that is because it occurred to me about five minutes after releasing thort, the engine that now runs this place, that comment HTML was just displayed. Unsanitised.

Cross-site scripting, anyone? Oops.

So I just threw an “escape” filter into my comment template (which uses the great Trimpath JavaScript templating engine) so that I couldn’t be brutally pwnt by anyone posting a comment.

Finally this evening I thought: I’d better do something about that. Two minutes of Googling brought me to Caja’s HTML sanitizer, written in JavaScript. It was the work of but a moment to throw that into the CouchDB view that generates comments so that outputted comment HTML was sanitized. It was the work of but one more moment to also throw that into the client-side JavaScript that displays a posted comment. It’s really nice being able to use exactly the same code on client and server.

I'm currently available for hire, to help you plan, architect, and build new systems, and for technical writing and articles. You can take a look at some projects I've worked on and some of my writing. If you'd like to talk about your upcoming project, do get in touch.

More in the discussion (powered by webmentions)

  • (no mentions, yet.)