[rnd me]

Quote:

Originally Posted by sbhmf

I concur with your assertions about the performance, though I might as well do it right on principle.

I'll need to spend more time reviewing xhtml xss cheat sheets, though I prefer books and tomes . Any in particular that you might recommend?

i can't think of any books off the top of my head. It's such a hush-hush enterprise in a rapidly changing environment that it would be hard to build a comprehensive outlay in a book.


native methods are usually 20-30X faster than user-written methods for any given task.

here are a couple native functions that can sanitize text to some degree. they are not perfect, but both are way more comprehensive than replacing quotes...

Code:

var risky="hello <b onmouseover=alert(555)>World</b>!";
var safe = new Option(risky).innerHTML
alert(safe) // shows "hello &lt;b onmouseover=alert(555)&gt;World&lt;/b&gt;!"

if you know there are no <img>, <link>, <iframe>, <embed>, or <object> tags that can ping a 3rd-party site just by parsing, the follow produces safe plain text from any html:

Code:

var risky="hello <b onmouseover=alert(555)>World</b>!";
var safe = document.createElement("div");
safe.innerHTML=risky;
alert( safe.innerText || safe.textContent) // shows "hello World!"