Bleach is a whitelist-based HTML sanitizer and auto-linker in Python, built on html5lib, for AMO and SUMO and released under the BSD license.
Bleach has two main functions: sanitizing HTML based on a whitelist of tags and attributes, and turning URLs into links. It uses html5lib for both.
For more information on using Bleach, see the README included in the source. For more info on how Bleach works, follow below the jump. Read the rest of this entry »
If you upgraded Firefox lately, you might have seen a message on the start page urging you to upgrade Flash. As of yesterday, something like 12 million people had clicked through to upgrade. That’s a great number.
However, when you got to the Adobe site, and clicked the “Agree and Install” button, instead just saving an installer file, you might have seen this:
Right there? That’s enough to deter me from this whole process, so I can definitely understand if it scared you off. But this is an important update, a security update, so you need to do it.
Fortunately, it’s very easy to get around this annoying development in Flash. (Their hearts are in the right place, automatic updates, but their implementation leaves something to be desired. Of course, the Adobe Updater makes you quit Firefox to update Photoshop, so this clearly isn’t their strong suit.)
For starters, head to Adobe’s Get Flash page. If you see that annoying bar, click on the [x] in the right corner:
Now, more towards the middle of the page, look for a link that says “click here to download.”
That will start downloading the normal installer we’ve come to know and love. Yeah, you’ll still have to restart Firefox, but you were going to need to do that, anyway.
There you have it, avoiding Adobe’s strange new extra software and getting Flash up-to-date with the latest (really, really important) security fixes.
As a community, as a whole, web designers and developers need to stop supporting Internet Explorer 6. Now. Completely.
I’ve been thinking a lot about browser compatibility as I’ve been working on Today’s Meet. My CSS is valid, but it doesn’t work quite right in IE6. The interface is completely JavaScript-based, and will only become moreso in the future. How much time should I put into making it all work with IE6?
None. Read the rest of this entry »
Most SQL-injection articles set a horrible example for young programmers.
Here is a very typical “bad example” of why you need to escape user data before it goes into SQL queries:
(ed. The symbol « is a line break that’s not in the real code.)
The point, of course, is that you must sanitize your user input, or else this person would run this query:
Which grants the sneaky user all your admin privileges. Other versions have nefarious users dropping your users or articles tables.
The problem is: this is the wrong way to authenticate users. These examples are written for beginners to understand the importance of sanitizing input, but they also provide a model to those beginners for how user authentication works. And it’s a very bad model.
This is a long one, more after the break. Read the rest of this entry »