Stop Allowing HTML October 9, 2001 4:33 AM   Subscribe

Strip all HTML from posts, only allow a few basic tags by using [ and ] like those funny message boards do. This could allow hyperlinking and basic formatting without the problems that, e.g., the style attribute brings up. (There’s no way to prevent people from impersonating other users, messing up the page, etc., except by disallowing the use of HTML.) What do you think?
posted by gleemax to Feature Requests at 4:33 AM (9 comments total)

Me, I like being able to do <Fake Tags> and (Teeny Tiny Text) for Maximum! Comedic! Impact! since I'm such a smart-ass (or like to think I am at least).

And sometimes somebody does something supercool with HTML, which is always nice.

Matt's call, I guess.
posted by stavrosthewonderchicken at 4:53 AM on October 9, 2001

<Fake Tags> are just character entity references, so there’s no need to get rid of them. As for <small>, <big>, <em>, <strong> (and <b> and <i>), and all the other basic things, we could have simplified versions (that disallow the style attribute). There’s no need for the <font> tag. We have <small> and <big> if you must change the text size, and the user sets his preferred typeface in his preferences.

We’re not losing much, but we’re gaining a lot in terms of protection from malicious users. This also makes it easy to use things like <blockquote> without messing up the entire page, because it can be transformed into something suitable without the user needing to have special knowledge.

In the end, of course it’s Matt’s call, but I’m just trying to put forward a solution to something that, while it hasn’t been a large problem in the past, it very well could be in the future.
posted by gleemax at 6:25 AM on October 9, 2001

To clarify, &lt; and &gt; are character entity references. If it starts with an ampersand (&) and ends with a semicolon (;), chances are it’s a character entity reference.
posted by gleemax at 6:28 AM on October 9, 2001

If you allow even one block tag and one inline tag, you're opeing the whole CSS can o'worms in browsers that do CSS. Unless you strip the style attribute from all tags (which would just add to the server load), you can't eliminate that.


I did that with the I tag.

posted by rodii at 8:07 AM on October 9, 2001

Eww, nasty. And that was with (in case this is obscured in your browser) the innocent little I tag.

OK, rereading your post, gleemax, I see you want to disallow *all* HTML and go to macros only. That would suck. It's fun to make HTML do occasional tricks for an appreciative audience.

There's a tradeoff between expressiveness and "security" (security here defined as "nobody is able to fuck up the site for everyone else"), just as there always is. I personally think, as I've said here before, that restricting expressiveness is a solution without a real problem. We have some inadvertent HTML mistakes, and one poster who made his thread orange once, but I've never seen real malice.
posted by rodii at 8:14 AM on October 9, 2001

I’ve never seen real malice.

Sometimes, late at night, I worry that MetaFilter won’t be here in the morning.
posted by gleemax at 10:25 AM on October 9, 2001

Isn't there already a thread about this (in fact two or three) in MeTa??

No wonder Matt doesn't want to do a Requested Feature list. He'd have to crawl through 300 posts on the same exact topic...
posted by fooljay at 10:26 AM on October 9, 2001

a Requested Feature list

That, my friend, is a damn good idea. You should suggest it to Matt.
posted by rodii at 11:19 AM on October 9, 2001

I think I will... ;-)

posted by fooljay at 2:31 PM on October 9, 2001

« Older Logout does not appear to be working quite right....   |   Is it getting nastier and more bloodthirsty here?... Newer »

You are not logged in, either login or create an account to post comments