The Lounge is rated PG. If you're about to post something you wouldn't want your
kid sister to read then don't post it. No flame wars, no abusive conduct, no programming
questions and please don't post ads.
Consider why this is a difficult thing to do with no standard solution.
It is because it is an odd thing to do.
That sounded very rude so I hope you are still with me. (I'm really not trying to be rude, just direct.)
What I mean is that you are posting the data (expected) and the template (unexpected).
Here, by template, I mean HTML.
HTML is really just a template.
I'm on the outside of your solution so I immediately think, "Why? Why is Sander posting HTML, when the HTML (template) should be described at the server side? Why would he post HTML when that is surely described on the server side? Since it is on the server side, the server doesn't need the template data posted since it already has it."
The only reason I can figure is that you are allowing users to post markup for their posts something like you can do here in this forum. Is that it?
If it is, then this will always be a challenge, because now you actually have to become an HTML parser because now instead of allowing a browser to handle the __template__ you have to pull out the bytes which represent the __template__ and separate them from the bytes which are the data.
Well, I'm not offering much of a solution, but possibly a different take on what is really going on.
I think separation of concerns leads us to think more clearly about each piece of a solution.
Hopefully I've added something to this discussion.
Yeah, thanks. You're right.
It is an odd thing to do.
And indeed the user can add markup to stuff.
Ultimately I've just disabled the check, since it's an internal intranet application and the customer has explicitly asked to be able to do HTML markup.
I leave it to them to not use script tags and that kind of stuff.
I've already secured it a bit with an HTML editor that translates <> typed by the user to <> so it ain't that bad
Just don't hack the browser or post HTTP requests directly.
Although that can be considered bad intent and cost employees their job and who knows more (which still doesn't make the data right though).
Don't know, but it would kinda explain Justin Bieber if it was suddenly discovered that his parents were first cousins...
Anything that is unrelated to elephants is irrelephant Anonymous - The problem with quotes on the internet is that you can never tell if they're genuine Winston Churchill, 1944 - I'd just like a chance to prove that money can't make me happy. Me, all the time