Brion Vibber wrote:
Jim Higson wrote:
So far I'm allowing color face and size, are there any others the php parser allows (or should allow?)
Here's what the HTML sanitizer code in 1.5 currently allows:
Common attributes: 'id', 'class', 'lang', 'dir', 'title', 'style'
Specific to <font>: 'size', 'color', 'face'
The <=1.4 code is more permissive as it has only a global attribute whitelist, and will thus allow attributes that don't actually apply to the <font> element.
-- brion vibber (brion @ pobox.com)
Thanks.
Just out of interest, what value is attained from allowing id and class in wikitext? Doesn't this allow people to create messed up pages by setting id="globalWrapper" or some such thing?