| christopher@dailycrossword.com 2007-04-24, 6:19 pm |
| I used to use a technique where I changed all "<>" to "[]" when I
stored user-created HTML data from a user post into a database. When
I displayed it I could change only the tags I wanted back to "<>". By
rewriting the 'unsanctioned' tags the author's intent would be
visible, if not the content. Also, this is a guaranteed safe display
technique that preserves the original post.
However, on the site I am working on there might be a million viewers
a day, and that means considerably more processing time. If I pre-
filter the post before storing I might save 200-2000 filtering
operations, which is considerable. On a broadcast message I send to
every user the number is in the millions.
I am nearly convinced I will store safe HTML in the database, pre-
filtering and maintaining strict rules about tag acceptability.
Is there a consensus or a forum for discussing the merits of storing
and displaying user-created HTML content?
-- clh
|