Strip tags from user input

[smrose]

Currently, we trust all user input. That's a gigantic security risk. Sadly, there is HTML content in existing content that was imported from the pattern sphere - if we strip that entirely, some content won't render the way it was intended. One approach would be to convert it to markdown, then convert markdown to HTML at display time.

[publicsphere]

some related comments & issues: (1) I couldn't locate the pattern that had the truncated context and problem sections. Do you remember what it was? (2) there are a number of issues related to the patterns as they're printed; (a) all paragraphs run together (unless there's actually a

before it; (b) certain characters, like dashes and explicitly begin or end quotation marks show up pretty funky. I don't think your code introduced them, they were there already. (3) If I do go in and change any characters in pattern text, will they survive the port to our open to the public site?

[smrose]

I couldn't find the pattern with truncated strings either, but I think the issue is that I created a "string" type with only 255 characters without checking that the values that needed to be stored there were short enough to fit. There is nothing magical about 255 characters - I could easily double it - or I could use the "text" type instead, which is a few MB.

We have some other issues with the legacy values in general:

1. Some have embedded HTML that should be stripped, but doing so without another way to support rich text would impact usability. That's where I think moving to MarkDown could be the right solution. Besides paragraph breaks, it gives us stuff like <em> and <b> without opening our legs to cross-site scripting issues like HTML does.
2. Like you said, some of the characters aren't rendering properly. I don't have an understanding of how to fix that, so it needs study.