Nyarly's Journal: Goddammit

Honestly, this should go in the "Slashdot Whining" Topic, but aparently that's not an option, so there you go.

Would it really be so much a risk to allow HTML entities? I mean, really, is there some server crashing, cookie munging XSS entity exploit? C'mon, really. I get frustrated that, say, my description can't be spelled correctly since I can't get an 'e' with an accent acute. Somewhere there's got to be a filter for &.*; or something like it. And it's more complicated than that, since "&.*;" appears but neither é nor é show up. So what's the deal? Is there some rationale for trimming out only well-formed (if invalid) entities?

Tell me about it...

[TechnoLust]

I just submitted a bug report, because I can't get a freaking underscore in the domain of my URLs [slashdot.org]. AN UNDERSCORE! An underscore never hurt anyone, why pick on it?

Re:Tell me about it...

[Nyarly]

I swear, there's got to be about two pages of fucked up perl regex munging to filter everything in the comment boxes, and a lot of it is a certifiable PITA. Fooling with it, I thing the entity filtering has got to be something like:

\(&#[[:digit:]]{3};\)|\(&[[:alpha:]]{3,5}\ )
unless -eq '&;' or -eq ...
or isTuesday()

And I completely agree that I think there's issues of it filtering out things that are legitimate in all kinds of cases. Maybe they're afraid of XSS or SQL injection or breaking the DB, but the nice way to handle that is to replace offending characters with a parsable representation (hey, like SGML entities!) and then reverse the replacement on retreival. But noooo. Too hard, too unmanageable, too complicated. Just disallow anything that's even a little upsetting and be done.

Seriously, all this raving about Open Source software being incredible, but we still hang around on this cobbled together patchwork. Sheesh.

And would it really be that hard to toss an ispell in? That I might pay for. Especially if stories had to pass ispell before they made front page.