Sanitized comments in the db
While Brad Choate’s Sanitize plugin works great for keeping unwanted HTML (and PHP, ASP, JSP, and SSI) out of your pages that include comments, as a plugin it only gets to affect your rendered pages: the things you don’t want are still in your database, waiting for you to disable the plugin or decide to directly access the comments in your MySQL database.
Luckily, Brad’s plugin design, having the plugin call a separate Perl module, makes it easy to hack it into Movable Type’s comment post code.
If you have the plugin installed, all you have to do is add two lines to {your MT directory}/lib/MT/App/Comments.pm, replacing
$comment->text($q->param('text'));
(line 98, for mine anyway), with
use bradchoate::sanitize; $comment->text(bradchoate::sanitize::sanitize_html($q->param('text'), "a href,strong,em,blockquote"));
(replacing that abbreviated set of allowed tags and attributes with your own) and any future comments will be sanitized before they even make it to your database.
You do realize that this line of code is shoving your sidebar to the bottom of the page, dontcha?
Just sayin’.
Not in a decent browser with a decent idea of default font sizes, it isn’t.
Yeah, I did notice that, in that browser, but then I forgot about moving the <pre> to the extended entry. Thanks for the reminder, sweetie.
You’re not going to get all Mozilla evangelist on me now, too, are you?
So far, so good
Happily, the move seems to have worked. I was able to see the new server less than 24 hours after changing the DNS. It’s such a relief to be on a Linux server instead of IIS—the support people at my previous host were excellent but I love being a…