StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
1608838
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
3
CommunityOwnedDate
CreationDate
2009-10-22T17:46:07.163
FavoriteCount
0
LastActivityDate
2009-10-30T23:21:26.910
LastEditDate
2009-10-30T23:21:26.910
LastEditorUserId
90723
OwnerUserId
90723
ParentId
1608758
PostTypeId
2
Score
2
ViewCount
0
LastEditorDisplayName
text
Body
<p>That's an entirely reasonable approach. For typical applications it will be entirely sufficient.</p> <p>The trickiest part of white-listing raw HTML is the <code>style</code> attribute and <code>embed</code>/<code>object</code>. There are legitimate reasons why someone might want to put CSS styles into an otherwise untrusted block of formatted text, or say, an embedded YouTube video. This issue comes up most commonly with feeds. You can't trust the arbitrary block of text contained within a feed entry, but you don't want to strip out, e.g., syntax highlighting CSS or flash video, because that would fundamentally change the content and potentially confuse anyone reading it. Because CSS can contain dangerous things like behaviors in IE, you may have to parse the CSS if you decide to allow the <code>style</code> attribute to stay in. And with <code>embed</code>/<code>object</code> you may need to white-list hostnames.</p> <p><strong>Addenda:</strong></p> <p>In worst case scenarios, HTML escaping everything in sight can lead to a very poor user experience. It's much better to use something like one of the HTML5 parsers to go through the DOM with your whitelist. This is much more flexible in terms of how you present the sanitized output to your users. You can even do things like:</p> <pre><code><div class="sanitized"> <div class="notice"> This was sanitized for security reasons. </div> <div class="raw"><pre> &lt;script&gt;alert("XSS!");&lt;/script&gt; </pre></div> </div> </code></pre> <p>Then hide the <code>.raw</code> stuff with CSS, and use jQuery to bind a click handler to the <code>.sanitized</code> <code>div</code> that toggles between <code>.raw</code> and <code>.notice</code>:</p> <p>CSS:</p> <pre><code>.raw { display: none; } </code></pre> <p>jQuery:</p> <pre><code>$('.sanitized').click(function() { $(this).find('.notice').toggle(); $(this).find('.sanitized').toggle(); }); </code></pre>
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POWhat is the best way to handle user generated html content that will be viewed by the public?
  singulars
  PostTypePostTypeId
  PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USBob Aman
UserOwnerUserId
1. USBob Aman
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POWhat is the best way to handle user generated html content that will be viewed by the public?
  singulars
  PostTypePostTypeId
  PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
  singulars
  PostPostId
  PO
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTAcceptedByOriginator
2. VO
  singulars
  PostPostId
  PO
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
3. VO
  singulars
  PostPostId
  PO
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.