Tonight, I borrowed LiveJournal's comment filtering code and made it into a MovableType plugin: MTCleanHTMLPlugin

After all that ramble about having open system and not having been the victim of an exploit, SamRuby inadvertently revealed one gapingly wide hole for me. Not that he did anything to exploit it - I just realized that a bug he tripped over could be used for more nefarious purposes. So, I closed the hole, and after a bit of quick research went a bit further and made a new MovableType plugin. Borrowing LiveJournal's code yields a filter which strips out most nasty ?JavaScript exploits, and attempts to close tags left lazily open.

Hope someone finds a use for it.


Archived Comments

  • Should this tag be wrapped around the TrackBack pings also?
  • Hmm, that might not be such a bad idea. Really, wherever you allow content submitted by someone other than you, you should use this tag (or something like it).
  • Well, I didn't think at first, but at least what I do is include a call to the cgi with php, so it wouldn't work anyway. Maybe the logic could be (or already is) included there. I haven't looked at the source yet, but then I'm just learning Perl now, so I don't know if I would identify the right spot yet :)
  • Thanks for another good one!
  • l.m. so, I'm looking at the instructions and where I see this: . |-- README |-- extdir | `-- MT | `-- decafbad | `-- `-- plugins `-- I'm perplexed. I don't have an extdir directory. I have an extlib directory, but it doesn't have an MT in it... so, where does all of this stuff go, off your root MT installation? Thanks, John (I really just want to be an end user, but find myself being a hacker, in that I'm being forced to install hacks on a piece of software in a language I know very little about.)
  • John, you can put it under extlib. If you don't have an MT subdir in there then you can just create one, then another subdir called decafbad. Also if you don't have the plugins directory in your root MT folder you'll have to create that one as well. Hope that helps
  • D'oht, good catch John - it's supposed to be "extlib", not "extdir". I'll see about updating that today! Sorry about that!