I dare you…

Thursday, 25 November 2004

…to make a mess of the comments of this entry. I’m working on a new plugin for Nucleus, called HTML Comments. It allows visitors to post comments in HTML, without (hopefully) allowing users to post malicious mark-up. If the plugin functions as I hope it does, every comment will still validate properly as XHTML. The code is based on lib-scrub and will be released under the GPL once I work out some of the bugs. So I dare you to try it out and post the most screwy HTML constructs you can find as I will monitor the performance of the new plugin.

Allowed tags are:
strong, b, em, i, del, strike, s, sup, sub, tt, kbd, code, pre, br, p, a, img

The plugin works in three modes:

Plain text mode: If the text contains no tags, it will let Nucleus use it’s own filtering algorithm.
HTML styling: If the poster does not specify any linebreaks or paragraphs it will try to build those from the hard line breaks present in the text. So you could post just like you are used to, except use tags like <b> or <em> for styling your post.
Full HTML: If the poster does specify linebreaks or paragraphs the plugin will ignore any hard line breaks and base the presentation solely on the HTML code present in the post.

Check if the page is still valid XHTML with the W3C Validator

Update: I’m making quite a bit of progress with Lib-Scrub, the library on which this plugin is based. I’ve rewritten large parts of it since the last public release. Improvements include checking the document against a DTD, which will ensure that attributes or tags that are not allowed will not end up in the output. Next thing to do… checking if required attributes are present…

41 Responses to “I dare you…”

rakaz wrote on November 25th, 2004 at 12:32 pm ✦

[b] bold [i] bold-italic [/b] italic [/i]
bold bold-italic italic
TeRanEX wrote on November 25th, 2004 at 2:43 pm ✦

Yet another cool _plugin ~~from~~ Rakaz!!
:)
I’m looking forward to the release :)
TeRanEX wrote on November 25th, 2004 at 2:46 pm ✦

Is there any reason the <blockquote>-tag is not allowed?
some script code:
<script type="text/javascript">
window.alert("test");
</script>
rakaz wrote on November 25th, 2004 at 3:22 pm ✦

TeRanEX: Hmm… your last post didn’t trigger one of the HTML modes… checking why…
rakaz wrote on November 25th, 2004 at 3:37 pm ✦

TeRanEX: fixed!
Daniel Schierbeck wrote on November 25th, 2004 at 4:07 pm ✦
```
foobar
```
How about that?
Daniel Schierbeck wrote on November 25th, 2004 at 4:07 pm ✦

Well, it works…
rADo wrote on November 25th, 2004 at 6:08 pm ✦

rakaz, you may want check-out BLOG:CMS mods, at http://demo.blogcms.com/?it…
Aaron wrote on November 25th, 2004 at 7:57 pm ✦

bold

Paragraph

Heading1
Aaron wrote on November 25th, 2004 at 7:58 pm ✦

DivLooks like its working fine.
Roel wrote on November 25th, 2004 at 9:16 pm ✦

Just checking some inproper markup combined with javascripting… ;)
Roel wrote on November 25th, 2004 at 9:18 pm ✦

Wow, the blockquote containg the javascript was completely
removed!

Just checking some inproper markup combined with javascripting… ;)
KB wrote on November 26th, 2004 at 1:32 am ✦

mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
KB wrote on November 26th, 2004 at 1:33 am ✦

Well, it kinda broke… :)
rakaz wrote on November 26th, 2004 at 1:33 am ✦

KB: that’s just mean :)
rakaz wrote on November 26th, 2004 at 1:37 am ✦

KB: actually, youre example didn’t trigger any of the HTML modes, so technically my plugin isn’t at fault here :) Not that my plugin would do any better, but still :)
Aaron wrote on November 26th, 2004 at 4:38 am ✦

Haha, we need a wrap around here.
Aaron wrote on November 26th, 2004 at 4:40 am ✦

ItalicBoldUnderlined

Paragraph

List itemList ItemList Item(ordered list)List Item(ordered list)
rakaz wrote on November 26th, 2004 at 10:34 am ✦

mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

Better?
rakaz wrote on November 26th, 2004 at 10:34 am ✦

hmm… slightly better
sinisterfrog wrote on November 26th, 2004 at 11:49 am ✦

background:#000000; border:0;">
Image :
Lim Chee Aun wrote on November 26th, 2004 at 1:27 pm ✦

hey, rakaz, i really like your blog. I couldn’t believe you are enabling
comments after upgrading to XHTML 1.1, though this page is not sent in
‘application/xhtml+xml’.

Ok, now let me try ur HTML comments stuff…

testingtesting
rakaz wrote on November 26th, 2004 at 4:19 pm ✦

TeRanEX: The reason why <blockquote> is currently
not allowed is for my own convenience. In XHTML 1.0 Transitional
<blockquote> allowed children from the Flow type, in other
words, every other tag. In XHTML 1.0 Strict <blockquote>
only allows children from the type Block. Lib-scrub, which is used for the
filtering does not yet support inserting extra block elements into blockquotes,
allowing blockquotes would almost certainly lead to validation problems. It is
however something I am working on.
rakaz wrote on November 26th, 2004 at 6:11 pm ✦

Just testing to really horrible tagsoup:

<em><b></b>L ine One<br></em><st rong>Line Two

Line One
Line Two
Aaron wrote on November 27th, 2004 at 2:28 am ✦

This page validates as XHTML 1.1… awsome!
Daniel Schierbeck wrote on November 27th, 2004 at 5:18 pm ✦

Which reminds me – I can’t wait ’till XHTML 2.0!! Or CSS 3!! Uaaaaargh!
RouXx wrote on November 27th, 2004 at 7:44 pm ✦

Well, this sounds to be a good idea, so I’m gonna have a try with some php code :

<?php print(‘\"If you don’t see the PHP print instruction, it’s not good for php scripts !\"’)?>

RouXx
Minh Nguyễn wrote on November 28th, 2004 at 3:51 am ✦

(Source: title="mozillaZine.org: WSDL Support in Mozilla 1.4 Final: TalkBack #13">mw22
over at mozillaZine.
Minh Nguyễn wrote on November 28th, 2004 at 3:52 am ✦

Alright, it didn’t accept the HTML I put in. That’s good.
farr wrote on November 28th, 2004 at 7:55 am ✦

Just wondered in here from somewhere, checking out your firefox buttons…

might I say your blog is drop-dead gorgeous though?
icerulez wrote on November 28th, 2004 at 11:09 am ✦

some text
Lode wrote on November 28th, 2004 at 6:51 pm ✦

Image :
Lode wrote on November 28th, 2004 at 6:54 pm ✦

Hmm… image tag is allowed but doesn’t work?

http://www.webcoder.be/lode…
Aaron wrote on November 29th, 2004 at 4:50 am ✦

Hey rakaz! Why dont you have your menu position ‘fixed’ so that it stays near the screen at all times?
JohnHeart wrote on November 29th, 2004 at 4:07 pm ✦

Aaron, that’s what I’m thinking, too. But maybe rakaz has the reason.
rakaz wrote on November 29th, 2004 at 4:23 pm ✦

There is a very good reason for not using position fixed. Somehow the fontstyle switcher doesn’t like it. If it is set to fixed is will update the font and size, but it will not dynamically resize the menu to fit the text into it. So you could end up with text running out of it, or text being wrapped a the wrong point or even text running into each other because the line-height isn’t updated too.
JohnHeart wrote on November 29th, 2004 at 9:18 pm ✦

see, rakaz has the good reason.

I’m just wondering why my gravatar’s not showing up here but it’s up on my site.
JohnHeart wrote on November 29th, 2004 at 9:23 pm ✦

Maybe because I’m not using my email add here. Let me try.
Anonymous wrote on November 30th, 2004 at 9:47 pm ✦

NonO
vlad wrote on December 7th, 2004 at 10:02 am ✦

why not?
Agrestis wrote on October 26th, 2006 at 7:41 am ✦

Hi Niels,
I was wondering what happened to lib-scrub? I got a copy ages ago and have been using it to clean up code for my site for a while, but now I see you have taken the project page down. Have you abandoned development or can we expect a new version some time?