Hi5, another social networking site, filters HTML code oddly.
Embeds
are allowed (I don’t think they used to be), but if there are any percent signs (%) in the embed
‘s attributes, it doesn’t display. Further testing reveals that hi5 seems to strip out any tag that has attributes that contain any URL-encoded entities in it at all!
For example, this perfectly valid code for a link:
<a href="http://www.google.com/search?q=this%2Fthat">search this/that</a>
will not display properly in a hi5 profile. The <a href="...">
tag gets stripped out because of the %2F (an URL-encoded slash “/”).
The downside for me is that pets that have spaces or accented characters in their name will not display on hi5.
I’m guessing that this is their brain-dead way to prevent XSS (cross-site scripting) vulnerabilities as reported here.
It looks like I’ll have to not encode the flashvars at all on hi5. Hope it works properly…