Quote:
Originally Posted by sbhmf
I concur with your assertions about the performance, though I might as well do it right on principle.
I'll need to spend more time reviewing xhtml xss cheat sheets, though I prefer books and tomes  . Any in particular that you might recommend? |
i can't think of any books off the top of my head. It's such a hush-hush enterprise in a rapidly changing environment that it would be hard to build a comprehensive outlay in a book.
native methods are usually 20-30X faster than user-written methods for any given task.
here are a couple native functions that can sanitize text to some degree. they are not perfect, but both are way more comprehensive than replacing quotes...
Code:
var risky="hello <b onmouseover=alert(555)>World</b>!";
var safe = new Option(risky).innerHTML
alert(safe) // shows "hello <b onmouseover=alert(555)>World</b>!"
if you know there are no <img>, <link>, <iframe>, <embed>, or <object> tags that can ping a 3rd-party site just by parsing, the follow produces safe plain text from any html:
Code:
var risky="hello <b onmouseover=alert(555)>World</b>!";
var safe = document.createElement("div");
safe.innerHTML=risky;
alert( safe.innerText || safe.textContent) // shows "hello World!"
Before you post, read our: 
