我应该清理托管CMS的HTML标记吗？ [英] Should I sanitize HTML markup for a hosted CMS?

问题描述

正如它那样，它需要客户输入将被提供给服务的文本任何人来访问他们的网站。我计划使用Markdown，可能与WMD（SO使用的实时降价预览）结合起来用于大块文本。

现在，我应该对他们进行消毒为html输入？鉴于只有少数人编辑他们的'CMS'，所有付费客户，我应该剥离不良的HTML，还是应该让他们疯狂？毕竟，这是他们的'网站'

编辑：为什么我会这样做的主要原因是让他们使用自己的javascript，并拥有自己的css和divs以及哪些不是用于输出

解决方案

为什么不会你清理输入？

如果你不这样做，那么你就是在招惹灾难 - 无论是你的顾客还是你自己。

I am looking at starting a hosted CMS-like service for customers.

As it would, it would require the customer to input text which would be served up to anyone that comes to visit their site. I am planning on using Markdown, possibly in combination with WMD (the live markdown preview that SO uses) for the big blocks of text.

Now, should I be sanitizing their input for html? Given that there would only be a handful of people editing their 'CMS', all paying customers, should i be stripping out the bad HTML, or should I just let them run wild? After all, it is their 'site'

Edit: The main reason as to why I would do it is to let them use their own javascript, and have their own css and divs and what not for the output

解决方案

Why wouldn't you sanitize the input?

If you don't, you're inviting calamity - to either your customer or yourself or both.

这篇关于我应该清理托管CMS的HTML标记吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！