tags:

views:

41

answers:

4
+2  Q: 

Why not use HTML tags in websites' text editors?

Hi all, I may need to implement this sometime in the future, but I think the trigger for the question now is mainly curiosity.
I thought of how to write a text editor to a web site I'll build soon, and saw this site's (and other's) way, so I thought - isn't it a bit too complicated? If tags should be used from the first place, why not let users use HTML tags? The only reason I can think of is HTML injection which I don't know much about, but it sounds like an easy issue to solve, isn't it?

Thank you.

+2  A: 

Historically, systems like BBCode were designed to limit available formatting elements to things that would not break the layout of the site, but now, with more mature and smarter HTML parsers, it's not necessary to invent a new markup language just to bar certain un-safe HTML tags.

The current main reason I've seen is that HTML is foreign to most users, and the HTML substitutes are aimed at providing a simplified version of the formatting directives an every-day user would need.

Mark Trapp  2010-09-06 20:46:27
+4  A: 

Simply because not all of your users will know HTML. *bold text* is a lot more easy to understand (and read in it's raw form) than <b>bold text</b>. Especially if you get into links.

The reason we use Markdown, Textile and the rest is to provide a nice alternative that's accessible to more users.

Of course you can still provide the ability to use HTML to your users (it's in the Markdown spec) but you'll have to do a lot of checking to make sure there's nothing malicious going on - for example, blocking <script>, <iframe>, large images, javascript in the form <a href="javascript:alert("...");"> etc.

Ross  2010-09-06 20:47:14
@Ross: ++ Thanks for the specific examples for HTML injection.
Oren A  2010-09-06 21:23:59
+2  A: 

There are several reason why you should not use HTML tags in such an editor:

1) It might be less complex for the user if you introduce an own reduced tag set

2) HTML Injection: There is a big risk of dangerous HTML code getting injected.

If you really want to allow HTML code you have to be very careful.

Ben  2010-09-06 20:48:51
+1  A: 

HTML script injection is most emphatically not an easy problem to solve. HTML is a fairly complicated, non-regular language - detecting all possible vulnerabilities is a really hard problem. Many sites have tried, and failed. It's easier, from a vulnerability-prevention POV, to just prohibit HTML entirely, or allow only a small subset of tags.

Michael Petrotta  2010-09-06 20:49:53

related questions

Would you override ScriptControl or BaseValidator for an async ASP.NET validator control?
Handling HttpRequestValidationException gracefully and ASP.net AJAX compatible?
How to Dynamically Generate String Validation?
Validate email address in Javascript?
Data Validation Design Patterns
Strong Validation in WPF
How to evaluate an IP?
Validating a HUGE XML file
Validate (X)HTML in Python
ValidationRule To Enforce Unique Name
Checking if userinput is a valid URI in XUL
XML Parser Validation Report
Email SMTP validator
MVC - where to implement form validation (server-side)?
How do you remove invalid hexadecimal characters from an XML-based data source prior to constructing an XmlReader or XPathDocument that uses the data?
How to check set of files conform to a naming scheme
What's the best way to implement field validation using ASP.NET MVC?
How do I validate xml against a DTD file in Python
What's the best way to validate an XML file against an XSD file?
Problem databinding an ASP.Net AJAX toolkit MaskedEditExtender
Validating posted form data in the ASP.NET MVC framework
Best method for varchar date validation in Sybase (T-SQL)?
How important is W3C XHTML/CSS validation when finalizing work?
How far should one take e-mail address validation?
ASP .Net Custom Client-Side Validation