Hi5 HTML filtering stupidity

February 27th, 2007 § 1 comment § permalink

Hi5, another social networking site, filters HTML code oddly.

Embeds are allowed (I don’t think they used to be), but if there are any percent signs (%) in the embed‘s attributes, it doesn’t display. Further testing reveals that hi5 seems to strip out any tag that has attributes that contain any URL-encoded entities in it at all!

For example, this perfectly valid code for a link:

<a href="http://www.google.com/search?q=this%2Fthat">search this/that</a>

will not display properly in a hi5 profile. The <a href="..."> tag gets stripped out because of the %2F (an URL-encoded slash “/”).

The downside for me is that pets that have spaces or accented characters in their name will not display on hi5.

I’m guessing that this is their brain-dead way to prevent XSS (cross-site scripting) vulnerabilities as reported here.

It looks like I’ll have to not encode the flashvars at all on hi5. Hope it works properly…

Where Am I?

You are currently browsing the Hi5 category at bunnyhero dev.