[thelist] Disabling CSS?

Hendrik Mans hm at netzbiest.de
Sun Feb 11 03:58:27 CST 2001


Hi list,

me again. :)

Is there any way (in HTML) to tell the browser to completely ignore all CSS
instructions inside a DIV/SPAN/whatever?

I'm running a discussion site called PlanetCrap (yup) that has a very "open"
format (no registration required, only basic spamming protection, etc). I'm
automatically stripping all HTML tags from my users' posts except for the
basics: <b>, <i>, <a> and so on.

I'm currently writing a new version of the site (at
http://pc5.planetcrap.com), and suddenly realized that people have been able
to do all sorts of nasty stuff by putting CSS instructions into a style=""
attribute. Here's an example:

http://pc5.planetcrap.com/story.php?id=234&since=981775815#num-37

So far, nobody has started abusing this yet, but it's really just a matter
of time, so I want to be prepared. I'd also like to avoid simply using my
own tags (like UBB does).

I'll probably have to write a parsing function that removes the style=""
attributes from all tags that aren't completely removed anyway, but if
there's something in HTML that I can use to somehow make the browser ignore
those attributes, I wouldn't have to bother. You know, something like

  <span style="ignore-everything-you-silly-browser">
    Hallo, I'm a <b style="font-size: 200pt">h4x0r</b>!!!@%&(!
  </span>

Anyone? :)

Thanks,
Hendrik





More information about the thelist mailing list