On Thu, Jun 4, 2009 at 11:56 AM, Neil Harris<usenet(a)tonal.clara.co.uk> wrote:
However; writing a javascript sanitizer that
restricted the user to a
"safe" subset of the language, by first parsing and then resynthesizing
the code using formal methods for validation, in a way similar to the
current solution for TeX, would be an interesting project!
Interesting, but probably not very useful. If we restricted
JavaScript the way we restricted TeX, we'd have to ban function
definitions, loops, conditionals, and most function calls. I suspect
you'd have to make it pretty much unusable to make output of specific
strings impossible.
On Thu, Jun 4, 2009 at 12:45 PM, Gregory Maxwell<gmaxwell(a)gmail.com> wrote:
Regarding HTML sanitation: Raw HTML alone without JS
is enough to
violate users privacy: Just add a hidden image tag to a remote site.
Yes you could sanitize out various bad things, but then thats not raw
HTML anymore, is it?
It might be good enough for the purposes at hand, though. What are
the use-cases for wanting raw HTML in messages, instead of wikitext or
plaintext?