Web authoring advice
Saturday, October 1st, 2005 10:39 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
lethargic_manI've been sort-of commissioned to make a website for Marom. Now the only complex websites I've made until now have been strictly functional ones for work, driven by Perl CGI backends and with no security measures, as behind work's firewall. I can stumble my way through simple JavaScript from knowledge of C++, but don't know any Flash.
So I have a few questions for anyone who's made a public-facing website beforehand:
Firstly, any recommendations for an host ISP? This is a site of interest probably only to a few hundred people, but those few hundred might be visiting it frequently.
Secondly, as regards making it updatable by non-techies, I was thinking of providing proformas and inclusion of "what's on this week" files, etc, by server-side includes. Are server-side includes something ISPs are likely to provide?
Thirdly, would I stand a chance of having Perl available as a backend? And if so, how do you make it secure? I gather taint-checking is involved; once I've taken that into account, can I leave it all to Perl? Actually, I probably don't need Perl for the basic proposition, but when I was talking about it with Assael, he waxed lyrical about the possibilities -- message boards, a dating subsite, the works -- and it would be nice to be able to extend the site after its initial launch.
Any other advice whilst I'm at it?
So I have a few questions for anyone who's made a public-facing website beforehand:
Firstly, any recommendations for an host ISP? This is a site of interest probably only to a few hundred people, but those few hundred might be visiting it frequently.
Secondly, as regards making it updatable by non-techies, I was thinking of providing proformas and inclusion of "what's on this week" files, etc, by server-side includes. Are server-side includes something ISPs are likely to provide?
Thirdly, would I stand a chance of having Perl available as a backend? And if so, how do you make it secure? I gather taint-checking is involved; once I've taken that into account, can I leave it all to Perl? Actually, I probably don't need Perl for the basic proposition, but when I was talking about it with Assael, he waxed lyrical about the possibilities -- message boards, a dating subsite, the works -- and it would be nice to be able to extend the site after its initial launch.
Any other advice whilst I'm at it?
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-05-27 10:22 pm (UTC)The linked script allows a user who has a login on the system the CGI runs on to (over-)write any filename that the CGI can write to.
Good point, though not relevant as I'm not using the save-back-to-disk part of the script.
Stripping out script tags from HTML is doomed to failure unless you do a full SGML parse and reconstruct the message using only known-good elements and conservative quoting, since you cannot possibly hope to take account of the quirks everyone else's HTML parsers.
Does changing all angle brackets into HTML entities such as I have in my script count as conservative quoting in this instance?
no subject
Date: 2006-05-27 10:43 pm (UTC)no subject
Date: 2006-05-28 08:38 am (UTC)no subject
Date: 2006-05-28 10:24 am (UTC)Ah, right. I'm unclear at what point you're substituting into HTML, but whatever point that is is the point you should SGML quote it, and not before.
I would:
Obviously you need to know what the input encoding is in order to be able to correctly interpret any bytes outside the 0-127 range. DisOrder uses <form ... enctype="multipart/form-data" accept-charset=utf-8> to request that the input be UTF-8.
Once you have encoded every character with special meaning, there is no need to delete script tags, since there's no possibility of anything being interpreted as a tag any more.
no subject
Date: 2006-05-28 11:03 am (UTC)