I’ve finally figured out how to make HTML::Parser do the right thing, so now, if you type comments into the box at the bottom of an individual blog entry, you can use some HTML, but “ugly” and “unsafe” tags and attributes will be stripped out. By “ugly”, I mean anything that might screw up the page layout, such as the <h1> tag. By “unsafe”, I mean anything that might be used as a carrier for a cross-site scripting attack, like the “onLoad” attribute.
Coming soon: the RSS template will change so that the permalink will point to the individual blog-entry page (http://dynamic.ropine.com/yo/meta/comments-v2.html) instead of the page with all the entries of that day (http://dynamic.ropine.com/2004/07/05#comments-v2). This might make LiveJournal and other syndication services think I’ve just posted a half-dozen completely new entries, so I thought I’d warn y’all before I did it.