On 24 January 2012 15:57, Daniel Friesen lists@nadir-seen-fire.com wrote:
On Tue, 24 Jan 2012 06:16:48 -0800, Tei oscar.vives@gmail.com wrote:
On 24 January 2012 06:59, Daniel Friesen lists@nadir-seen-fire.com wrote: ..
Don't delude yourself into thinking that you can easily blacklist the elements that would run a script. http://ha.ckers.org/xss.html
What about using textNodes?
http://stackoverflow.com/questions/476821/is-a-dom-text-node-guaranteed-to-n...
Then it's just text. That's about as safe as throwing everything through htmlspecialchars, it's fine.
I'm saying that you can't blacklist things. ie: You can't run a message through a jquery message filter, try to strip out script tags from the dom and then insert it thinking that you've removed all the XSS vectors.
People on the internet suggest something like $("<div/>").text( "<script>alert('lets do evil!')</script>" ).html();
postdata: Some random code I just wrote.
var Stringbuilder = (function(){ var text = []; return { add:function(txt){ text.push(txt); return this;}, encode:function(txt){ text.push( new String( $("<div/>").text( txt ).html() ) ); return this;}, toString:function() { return text.join(""); } }; });
var str = Stringbuilder();
str.add("<table>") . add("<tr>") . add("<td>") . encode("<script>alert('lets do evil!)</script>") . add("</td>") . add("</tr>") . add("</table>");
str.toString();