On 18-Aug-06, at 12:27 PM, Chris Schults wrote: >> I don't think there would be any security issues with allowing html >> in the title, at least none beyond allowing html anywhere. Titles >> tend to be short and formatted in a specific way on the page, >> however, and are also used in the browser's title bar (which doesn't >> allow html formatting). > > So, why is the HTML being stripped out then? I assume there is a > reason. If > not, my editors and contributors would love it if I remove this > restriction. Well, I'm not aware of the reason. Scoop was like that from before I ever heard of it. It would certainly be possible to add HTML capabilities to titles, as it's not hard to add a "context" to the allowed_html system (context being something like the story intro, body, a comment, user prefs - you can specify what html is permitted where, see the scoop admin guide for more details). You'd have to make a few changes to the code, to make the title filtered through the "filter_comment" function instead of "filter_subject", for example. > One side effect, of course, is that the HTML might be preserved in > other > places where the title is used. Case in point, same example: > http://gristmill.grist.org/story/2006/8/18/12035/1766. Note the > browser's > page title. Thus, you might need to recode blocks, boxes, ops and > perhaps > the codebase as necessary. That is exactly what I meant when I said titles are used in the browser's title bar. I'm sure there's a function to remove html from text, I just can't remember what it's called offhand. You'd want to run the title through that to strip HTML (or convert it to something sensible for a browser title bar) before scoop puts it in the subtitle special key - also a small code change. If any of the developers who've been around longer than I have (rusty?) want to comment on this, please speak up. -janra