[thelist] Disabling CSS?
Hendrik Mans
hm at netzbiest.de
Sun Feb 11 03:58:27 CST 2001
Hi list,
me again. :)
Is there any way (in HTML) to tell the browser to completely ignore all CSS
instructions inside a DIV/SPAN/whatever?
I'm running a discussion site called PlanetCrap (yup) that has a very "open"
format (no registration required, only basic spamming protection, etc). I'm
automatically stripping all HTML tags from my users' posts except for the
basics: <b>, <i>, <a> and so on.
I'm currently writing a new version of the site (at
http://pc5.planetcrap.com), and suddenly realized that people have been able
to do all sorts of nasty stuff by putting CSS instructions into a style=""
attribute. Here's an example:
http://pc5.planetcrap.com/story.php?id=234&since=981775815#num-37
So far, nobody has started abusing this yet, but it's really just a matter
of time, so I want to be prepared. I'd also like to avoid simply using my
own tags (like UBB does).
I'll probably have to write a parsing function that removes the style=""
attributes from all tags that aren't completely removed anyway, but if
there's something in HTML that I can use to somehow make the browser ignore
those attributes, I wouldn't have to bother. You know, something like
<span style="ignore-everything-you-silly-browser">
Hallo, I'm a <b style="font-size: 200pt">h4x0r</b>!!!@%&(!
</span>
Anyone? :)
Thanks,
Hendrik
More information about the thelist
mailing list