Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 2 of 2 FirstFirst 12
Results 16 to 16 of 16
  1. #16
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,190
    Thanks
    10
    Thanked 569 Times in 550 Posts
    Quote Originally Posted by sbhmf View Post
    I concur with your assertions about the performance, though I might as well do it right on principle.

    I'll need to spend more time reviewing xhtml xss cheat sheets, though I prefer books and tomes . Any in particular that you might recommend?
    i can't think of any books off the top of my head. It's such a hush-hush enterprise in a rapidly changing environment that it would be hard to build a comprehensive outlay in a book.


    native methods are usually 20-30X faster than user-written methods for any given task.

    here are a couple native functions that can sanitize text to some degree. they are not perfect, but both are way more comprehensive than replacing quotes...

    Code:
    var risky="hello <b onmouseover=alert(555)>World</b>!";
    var safe = new Option(risky).innerHTML
    alert(safe) // shows "hello &lt;b onmouseover=alert(555)&gt;World&lt;/b&gt;!"

    if you know there are no <img>, <link>, <iframe>, <embed>, or <object> tags that can ping a 3rd-party site just by parsing, the follow produces safe plain text from any html:

    Code:
    var risky="hello <b onmouseover=alert(555)>World</b>!";
    var safe = document.createElement("div");
    safe.innerHTML=risky;
    alert( safe.innerText || safe.textContent) // shows "hello World!"
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/1/19) IE7:0.2, IE8:6.7, IE11:7.4, IE9:3.8, IE10:4.4, FF:18.3, CH:43.6, SF:7.8, MOBILE:27.5

  2. Users who have thanked rnd me for this post:

    sbhmf (01-13-2013)


 
Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •