I've noticed a strange behavior of stripTags() function.
As the documentation says about stripTags(): Strips a string of any
HTML tag.
But this function eliminates the tags only but not the content inside.
I tested it with response with a mix of JSON data and some HTML code.
Here it is:
******************* JSP PAGE
**********************************************
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<[EMAIL PROTECTED] uri="http://www.atg.com/taglibs/json"; prefix="json" %>
<json:object>
<json:object name="elements">
<json:property name="Rating" value="${rating}" />
<json:property name="Count" value="${count}"/>
</json:object>
</json:object>
<script>alert('Bye bye');</script>
<div>I will survive after stripTags()</div>
**********************************************************************************
Then, in my JavaScript I typed following code(responseText is
retrieved after AJAX execution, for simplicity I omit AJAX code and
provide only a piece of callback function onAjaxLoad) :
//JavaScript code
var responseText = responseText.stripScripts().stripTags().strip(); //
malicious text is still presented in response.
Function stripScripts() eliminates <script>[content]</script> tag
totally. But after stripTags() finished the "I will survive after
stripTags()" text is still presented in responseText.
Everything would be fine if the stripTags() function have worked like
the stripScripts() did.
Is it correct behavior for stripTags() function?
If yes, then documentation should be changed.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Spinoffs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---
