[imp] Inline HTML Safe?

[Chuck Hagenbuch]

Quoting Lee <lee at disinfo.com>:

> a) Why can't the insecurity of inline html be simply filtered out by a
> regular expression?

Because what browsers accept as valid javascript is *$@#(*@$& INSANE.

> b) Are there any filters or checks already in the imp code to secure
> inline html?

Yes. We just refuse to guarantee that it catches everything.

-chuck

--
Charles Hagenbuch, <chuck at horde.org>
The alligators were there, too, in a bathtub inside the house.