On Tue, 24 Jan 2012 06:16:48 -0800, Tei oscar.vives@gmail.com wrote:
On 24 January 2012 06:59, Daniel Friesen lists@nadir-seen-fire.com wrote: ..
Don't delude yourself into thinking that you can easily blacklist the elements that would run a script. http://ha.ckers.org/xss.html
What about using textNodes? http://stackoverflow.com/questions/476821/is-a-dom-text-node-guaranteed-to-n...
Then it's just text. That's about as safe as throwing everything through htmlspecialchars, it's fine.
I'm saying that you can't blacklist things. ie: You can't run a message through a jquery message filter, try to strip out script tags from the dom and then insert it thinking that you've removed all the XSS vectors.