Brad Choate's 'Sanitize' plugin for MT

· Weblog Concepts

Apparently if an MT blog allows HTML in comments and uses an executable file extension (such as .php or .shtml) this opens up a security risk from code that could be inserted into a comment. Brad Choate has released a plugin called Sanitize that enables MT users to exclude all but a specified list of HTML tags in comments:

[T]he quick fix to this problem is to disallow HTML comments. But if you want to keep your HTML comments and strip them of unsafe tags, you can use the Sanitize plugin to clean them up. Here’s how you might use it:

<MTCommentBody sanitize_html="a href,b,br,p,strong,em,ul,li,blockquote">

The tags listed in the ‘sanitize_html’ attribute are the tags that are allowed. Any tags not listed will be removed. In addition, the JSP, ASP, PHP and SSI markups are automatically stripped out to prevent abuse. Attributes must also be specified (as of the 1.1 update).