Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 2 of 2 FirstFirst 12
Results 16 to 16 of 16
  1. #16
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Thanked 608 Times in 588 Posts
    Quote Originally Posted by sbhmf View Post
    I concur with your assertions about the performance, though I might as well do it right on principle.

    I'll need to spend more time reviewing xhtml xss cheat sheets, though I prefer books and tomes . Any in particular that you might recommend?
    i can't think of any books off the top of my head. It's such a hush-hush enterprise in a rapidly changing environment that it would be hard to build a comprehensive outlay in a book.

    native methods are usually 20-30X faster than user-written methods for any given task.

    here are a couple native functions that can sanitize text to some degree. they are not perfect, but both are way more comprehensive than replacing quotes...

    var risky="hello <b onmouseover=alert(555)>World</b>!";
    var safe = new Option(risky).innerHTML
    alert(safe) // shows "hello &lt;b onmouseover=alert(555)&gt;World&lt;/b&gt;!"

    if you know there are no <img>, <link>, <iframe>, <embed>, or <object> tags that can ping a 3rd-party site just by parsing, the follow produces safe plain text from any html:

    var risky="hello <b onmouseover=alert(555)>World</b>!";
    var safe = document.createElement("div");
    alert( safe.innerText || safe.textContent) // shows "hello World!"
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%

  2. Users who have thanked rnd me for this post:

    sbhmf (01-13-2013)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts