[Zope] HTML filtering

[Alexander Limi]

Zopistas,

I've run into a little something that I thought might be interesting.

I run a site that accepts input from users in textboxes, and renders them
afterwards on the public pages.

The problem is, I want to filter out any HTML-tags in the textboxes, so
users can't include their own html on my page. FOr example they shouldn't
be able to insert <img> tags on the page.

I first thougt that if I rendered the text as structured text, maybe those
nasty HTML tidbits would disappear, but they didn't.

So my question is twofold:

1. Is there a way of formatting the text (except <pre>, which is a bit
crude :), so the HTML gets filtered out?

2. If not, would this maybe be a useful addition to the next version
of Zope? Something á la "<dtml-var textentry fmt=filteredtext>"? Maybe to
have different levels of filtering, e.g. to allow tags like <p> and <li>
but disallow all the other tags.

This is a must-have feature when you have users you do not trust 100%, and
so it should be a part of Zope, IMNSHO.


Alexander.