On Thu, Jun 4, 2009 at 11:56 AM, Neil Harrisusenet@tonal.clara.co.uk wrote:
However; writing a javascript sanitizer that restricted the user to a "safe" subset of the language, by first parsing and then resynthesizing the code using formal methods for validation, in a way similar to the current solution for TeX, would be an interesting project!
Interesting, but probably not very useful. If we restricted JavaScript the way we restricted TeX, we'd have to ban function definitions, loops, conditionals, and most function calls. I suspect you'd have to make it pretty much unusable to make output of specific strings impossible.
On Thu, Jun 4, 2009 at 12:45 PM, Gregory Maxwellgmaxwell@gmail.com wrote:
Regarding HTML sanitation: Raw HTML alone without JS is enough to violate users privacy: Just add a hidden image tag to a remote site. Yes you could sanitize out various bad things, but then thats not raw HTML anymore, is it?
It might be good enough for the purposes at hand, though. What are the use-cases for wanting raw HTML in messages, instead of wikitext or plaintext?