Comments on: Lisp HTML sanitizer http://www.3ofcoins.net/2008/10/24/lisp-html-sanitizer/ Just another WordPress weblog Thu, 02 Sep 2010 16:54:01 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: Maciej http://www.3ofcoins.net/2008/10/24/lisp-html-sanitizer/comment-page-1/#comment-3 Maciej Fri, 14 Nov 2008 13:53:00 +0000 http://www.3ofcoins.net/?p=38#comment-3 Yes, that's big pain - anyone can post just about anything, and it's my problem how to handle it. This time, I have to allow basic formatting, so I have to parse HTML to disallow injections, XSS, and so on; for simpler cases, I usually just use regexps. If a whitelist is all you need, you have a few ways: you can use simple list of strings, if there are just a few possible values; if there are more values, you can use a hash table. Sometimes I like to use packages instead of a hash table - you create a new package, that doesn't use any other (including CL), use INTERN or READ to put symbols in the package, and FIND-SYMBOL to check if symbol exists. And if there are many possible values, or the check is complicated, I'd use database anyway, so I'd leave consistency checking there. HTH :) Yes, that’s big pain – anyone can post just about anything, and it’s my problem how to handle it. This time, I have to allow basic formatting, so I have to parse HTML to disallow injections, XSS, and so on; for simpler cases, I usually just use regexps.

If a whitelist is all you need, you have a few ways: you can use simple list of strings, if there are just a few possible values; if there are more values, you can use a hash table. Sometimes I like to use packages instead of a hash table – you create a new package, that doesn’t use any other (including CL), use INTERN or READ to put symbols in the package, and FIND-SYMBOL to check if symbol exists. And if there are many possible values, or the check is complicated, I’d use database anyway, so I’d leave consistency checking there.

HTH :)

]]> By: Bryan Emrys http://www.3ofcoins.net/2008/10/24/lisp-html-sanitizer/comment-page-1/#comment-2 Bryan Emrys Thu, 13 Nov 2008 17:47:51 +0000 http://www.3ofcoins.net/?p=38#comment-2 I've blocked out most of this weekend to think about how to sanitize any and all inputs into a webapp I'm working on. (My first lisp app). But in my case, I'm not providing text areas to anyone, it is just figuring out the most efficient way to run whitelist checks on everything. I don't think it is any easier than dealing with a textarea because you can always have some malicious type try to post stuff. I’ve blocked out most of this weekend to think about how to sanitize any and all inputs into a webapp I’m working on. (My first lisp app). But in my case, I’m not providing text areas to anyone, it is just figuring out the most efficient way to run whitelist checks on everything. I don’t think it is any easier than dealing with a textarea because you can always have some malicious type try to post stuff.

]]>