On Wed, 2003-09-17 at 00:41, Magnus Manske wrote:
OK, I hacked a little filter that will remove all parameters from table, td, and th that
- start with "on" (no JavaScript)
- have no value and are not "nowrap" ("foo" and "15" above)
In general it's safer to only allow known safe things than to allow anything but known unsafe things. If a new unsafe attribute or tag comes into existence, you're not protected against it.
It is quick'n'dirty, though. Perhaps we should use some code from removeHTMLtags instead?
Ahhh, code reuse. :)
-- brion vibber (brion @ pobox.com)