开云体育

On Wed, Apr 10, 2019 at 09:28 PM, Shal Farley wrote:

The code that saves the edited page deliberately strips many HTML tags and parameters. Same for the message editor. Same for the code that processes an incoming email message for display.

Yep. Very aware of that.

I'm not sure what that code looks like, but it wouldn't surprise me to learn that it is structured as a "whitelist" of things to allow. That's about the only reasonably safe way to handle user-supplied HTML code. Otherwise you run the risk of some clever crook figuring out a code sequence to exploit your web site and/or its users.

Surely javascript, iframes, forms and such can be problematical. But -- with full acknowledgment that I'm not as clever the crooks -- I do struggle with seemingly benign inline styles.?

I am grateful to Tom for providing that bootstrap web site URL. Slogging through the style sheet itself to find what you want is a chore...even more so when minimized.

Regards,
Bruce
--
The system Help is your friend.??/static/help