On Wed, 2003-09-17 at 00:41, Magnus Manske wrote:
OK, I hacked a little filter that will remove all
parameters from table,
td, and th that
* start with "on" (no JavaScript)
* have no value and are not "nowrap" ("foo" and "15" above)
In general it's safer to only allow known safe things than to allow
anything but known unsafe things. If a new unsafe attribute or tag comes
into existence, you're not protected against it.
It is quick'n'dirty, though. Perhaps we should
use some code from
removeHTMLtags instead?
Ahhh, code reuse. :)
-- brion vibber (brion @
pobox.com)