Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 16 to 16 of 16
Thread: About scripting attacks...
01-13-2013, 12:35 AM #16
- Join Date
- Jun 2007
- Thanked 626 Times in 605 Posts
native methods are usually 20-30X faster than user-written methods for any given task.
here are a couple native functions that can sanitize text to some degree. they are not perfect, but both are way more comprehensive than replacing quotes...
var risky="hello <b onmouseover=alert(555)>World</b>!"; var safe = new Option(risky).innerHTML alert(safe) // shows "hello <b onmouseover=alert(555)>World</b>!"
if you know there are no <img>, <link>, <iframe>, <embed>, or <object> tags that can ping a 3rd-party site just by parsing, the follow produces safe plain text from any html:
var risky="hello <b onmouseover=alert(555)>World</b>!"; var safe = document.createElement("div"); safe.innerHTML=risky; alert( safe.innerText || safe.textContent) // shows "hello World!"Create, Share, and Debug HTML pages and snippets with a cool new web app I helped create: pagedemos.com
Users who have thanked rnd me for this post: