sanitize user contributed html

[tschaub]

Both text and video media type stories accept html. The client can enforce that the html is sanitized before submitting, but requests may not always come from our forms.

For text type stories, we should only allow (and silently strip all others) the following tags: p, strong, em, and span.

For video type stories, we allow an object tag with params and an embed from youtube:

<object width="425" height="344">
  <param name="movie" value="http://www.youtube.com/v/9S9vlgtt264&hl=en&fs=1"></param>
  <param name="allowFullScreen" value="true"></param>
  <embed src="http://www.youtube.com/v/9S9vlgtt264&hl=en&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" width="425" height="344"></embed>
</object>

This should either be replaced by a url (that we can convert into the object tag) or a solution that allows upload through the youtube api.

For sanitizing html (which should at least be done for the story content), something like this looks good (if grok/zope doesn't have something else built in).

[nickyg]

Not sure what we're already doing.

Note, we should be more liberal in what we allow inside text stories. <a> <i> <b> <ul> <li> are fine; maybe others.

[nickyg]

Rmar might know what we're currently doing here.