Sanitize Usage

posted on february 21, 2003, tag: movable type

Based on some changes I made around here, and a question posed by Shawn Morrison last night, I'm gonna post a few quick notes about Brad Choate's Sanitize plugin for Movable Type. Because this plugin was packaged with MT 2.6x, and because it's turned on my default, a lot of people either don't know it's doing anything, or don't know how to effectively change what it's doing for the better. Brad's simple description of Sanitize is:

Sanitize is a Movable Type plugin that allows you to clean HTML and other markup that might exist in an comment entry.

Basically, you tell Sanitize which HTML tags to allow, and it will destroy the rest. It's a great idea (especially for security's sake), and works well once you get past the learning curve. By default, Sanitize will allow the following HTML tags:

a href, b, br, p, strong, em, ul, li, blockquote

This allows for the most common of tags, although I think most people will question why br and p are in there. There is a reason: Sanitize cleans HTML tags in comments regardless of whether or not you have "Convert Line Breaks" turned on in your comment configuration. If you do, you know that your comments contain proper p and br tags. Well, if these tags weren't in your allowed list, all of your entries would be stripped of these tags... not a good thing. So leave those in there. But it's important to discuss something related to that br tag...

Do you see that a href tag up there? See how it says a and then it has a space and then says href? Those aren't two different tags. Sanitize is smart enough to understand you if you tell it a tag has multiple attributes. But you do actually have to tell it. If you had just said a up there, instead of a href, then all of your links would be stripped of their href attributes (rendering them quite useless, yes?). This must also be done for empty elements in XHTML that require the closing slash (/). Like, for instance, a br tag. Up there in the default list, it's just br. But I (and anyone using XHTML) use <br />. So, in Sanitize, I need to specify that slash by saying br / instead or just br. Make sense?

Now then, the biggest issue: that missing target attribute. 99% of MT users who upgraded to MT 2.6x didn't notice that any link posted in a comment started opening in the same window after the upgrade. This is because Sanitize's default allowed link tag, a href, doesn't allow for the target attribute. To fix this, change your a href allowance to a href target. Simple! Also note that you can add title too, if you wish, to allow for really complete links (eg: a href target title).

So then, we've now got an updated list of allowed tags that fits most common usage. Here it is:

a href target title, b, br /, p, strong, em, ul, li, blockquote

I use a slightly different list (I don't allow lists or blockquotes), but this should work for almost anyone. And in case you're not sure where this goes—in your MT admin area, under Blog Config, in Preferences, look in the General Settings section near the bottom (it's above your welcome message).

Also, if you don't like Sanitize at all, you can turn it off. You'll need to place something inside your <$MTCommentBody$> tag, though. To disable Sanitize, change that tag to: <$MTCommentBody sanitize="0"$> and you'll be all set.

Comments

There are 5 comments, comments are closed