Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 2 of 2 FirstFirst 12
Results 16 to 16 of 16
  1. #16
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Thanked 626 Times in 605 Posts
    Quote Originally Posted by sbhmf View Post
    I concur with your assertions about the performance, though I might as well do it right on principle.

    I'll need to spend more time reviewing xhtml xss cheat sheets, though I prefer books and tomes . Any in particular that you might recommend?
    i can't think of any books off the top of my head. It's such a hush-hush enterprise in a rapidly changing environment that it would be hard to build a comprehensive outlay in a book.

    native methods are usually 20-30X faster than user-written methods for any given task.

    here are a couple native functions that can sanitize text to some degree. they are not perfect, but both are way more comprehensive than replacing quotes...

    var risky="hello <b onmouseover=alert(555)>World</b>!";
    var safe = new Option(risky).innerHTML
    alert(safe) // shows "hello &lt;b onmouseover=alert(555)&gt;World&lt;/b&gt;!"

    if you know there are no <img>, <link>, <iframe>, <embed>, or <object> tags that can ping a 3rd-party site just by parsing, the follow produces safe plain text from any html:

    var risky="hello <b onmouseover=alert(555)>World</b>!";
    var safe = document.createElement("div");
    alert( safe.innerText || safe.textContent) // shows "hello World!"
    Create, Share, and Debug HTML pages and snippets with a cool new web app I helped create: pagedemos.com

  2. Users who have thanked rnd me for this post:

    sbhmf (01-13-2013)

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts