On 24 January 2012 15:57, Daniel Friesen <lists(a)nadir-seen-fire.com> wrote:
On Tue, 24 Jan 2012 06:16:48 -0800, Tei
<oscar.vives(a)gmail.com> wrote:
On 24 January 2012 06:59, Daniel Friesen
<lists(a)nadir-seen-fire.com>
wrote:
..
Don't delude yourself into thinking that you can easily blacklist the
elements that would run a script.
http://ha.ckers.org/xss.html
What about using textNodes?
http://stackoverflow.com/questions/476821/is-a-dom-text-node-guaranteed-to-…
Then it's just text.
That's about as safe as throwing everything through htmlspecialchars, it's
fine.
I'm saying that you can't blacklist things. ie: You can't run a message
through a jquery message filter, try to strip out script tags from the dom
and then insert it thinking that you've removed all the XSS vectors.
People on the internet suggest something like $("<div/>").text(
"<script>alert('lets do evil!')</script>" ).html();
postdata:
Some random code I just wrote.
var Stringbuilder = (function(){
var text = [];
return {
add:function(txt){ text.push(txt); return this;},
encode:function(txt){ text.push( new String( $("<div/>").text( txt
).html() ) ); return this;},
toString:function() { return text.join(""); }
};
});
var str = Stringbuilder();
str.add("<table>")
. add("<tr>")
. add("<td>")
. encode("<script>alert('lets do evil!)</script>")
. add("</td>")
. add("</tr>")
. add("</table>");
str.toString();
--
--
ℱin del ℳensaje.