[Zope] How to filter unwanted strings within a form's textarea?

Oliver Bleutgen Oliver Bleutgen <myzope@gmx.net>
Thu, 12 Jul 2001 17:22:08 +0200


> On Thu, 12 Jul 2001, Ausum wrote:
>> I need my local users to create content using html tags within a
>> textarea, but I don't want them to include links to external images
>> resources.
>>
>> My idea is to enable a filter that looks for the
>> "http://www.whatever_ext_site.com" string within the img tag, and then
>> erase it before posting the whole form data to the proper method.
>>
>> Is there a simple way for doing this?
>> (If not, what is the hard way? :)  )

>    The hardway would be to parse html yourself using sgmllib and remove
>    img
> tags.

Just be careful Ausum, you might end in a world of pain if your users get
ambitious:


<div onMouseover=3D"document.write(unescape('%3c%69%6d%67%20%73%72%63%3d%2=
2%68%74%74%70%3a%2f%2f%77%77%77%2e%7a%6f%70%65%2e%6f%72%67%2f%49%6d%61%67%=
65%73%2f%7a%6f%70%65%6c%6f%67%6f%2e%67%69%66%22%3e'))">
touch me
</div>

or

<object data=3D"http://www.zope.org/Images/zopelogo.gif" type=3D"image/gif=
>></object>

There are also many ways of obfuscating URLs,

<img src=3D"http://yourlocalhostname@1063661857/Images/zopelogo.gif>

cheers,
oliver