Sanitary comments
While I’ve never had a problem with allowing HTML in my comments (other than the time I left an <i> open), there are plenty of tags that I don’t really want anyone being able to post, not to mention that I really don’t want people posting PHP in comments. Thanks to Brad Choate’s Sanitize plugin, that’s one less thing to worry about. Install the plugin, add sanitize_html="p, br, a, b, u, i, strong, em, blockquote, ol, ul, li" to your <$MTCommentBody$> tag, and the PHP is gone, people won’t break the page when they accidently forget to escape the < and > in sample code, and as a side benefit, when I forget to close my tags the plugin will take care of them. Very nice.
Are there any other tags that I forgot, that should be in the allowed list?
What about <code>? <acronym>? <span>?
What, no <pre>? (yep, I’m snickering)
CODE, SAMP, KBD, DFN, Q. And link to the HTML spec to encourage people to figure out what the hell they are and how to use them properly. Subtle evangelism.
Okay, I think I’ve got them all included, but you’ll have to try them out to be sure. And I did include <pre>, since there’s nothing here that it can break, and there are times when linebreaks and spacing are significant, and nothing else will do as well.
I’ve got some free time…
–> This should be 2 paragraph lines
thanks to the <p> tag. <–
Never breakin line.
Anchors away.
Phil is emboldened by his success.
The Web cannot be highlighted.
Try leaning to the right.
Don’t let them push you around.
I cannot be more emphatic about this.
Morse's work proceeded in punctuated fashion.TINAA
Am I blue?
Next time, try to get it in the cup.
Typing is easiest when someone else does it.
A statement which conveys what I mean.
Oh and Phil: it just wasn’t as funny if I knew the pre tag was allowed. OK, so it wasn’t funny.
Actually, I thought it was funny, and then I realized where we were, and figured that we can get away with it here.
Thanks for the testing – I’m in a mad rush to get ready for this weekend, so I wanted to know it was going to work reasonably well, but I didn’t want to make the time to do it myself.
Whoah. Did you redesign, or is my browser just suddenly flipping out?
this is a normal <p>aragraph.
If all goes well, you shouldn’t be 0wned by a giant, flashing paragraph.
Aiyah, I just 0wned Phil.
Just adding another box to use line-height property. Since the page’s already injured, forgive me for checking why Mozilla crunched the first box on just one line.
Hmm– I guess you’re still using the 1.0 release of Sanitize :)
On Friday night, I updated it to 1.1 to add attribute support (so you can specify which attributes are allowable in addition to tags). 1.2 is the current release which provides better tag closure support.
Not exactly the most subtle way to give your message michel v. I almost hit the ”Print Screen” button to take a screenshot of what I thought was a defacement of Phil Ringnalda’s site. ;-)
Obviously, the span tag really is a bit unnecessary for visitor comments.
I know it’s not subtile ;) It’s funny in Mozilla, it blinks !
By the way, this is not a span tag. I used a simple <p> tag with a style attribute.
I emailed Phil to beg for forgiveness. :P
Consequently, I fixed b2 in CVS so that it wouldn’t accept any style, class, or id attributes from comments.
Heh. Remind me to leave a post saying that I’m leaving for the weekend, and asking you to play nice while I’m gone.
OK, I’ll use background: transparent; next time ;)
Phil? Honey? You didn’t accidently sanitize yourself right out of your own blog, did you?
Come to the light.
Burying this a bit: you online?