On Tue, 24 Jan 2012 06:16:48 -0800, Tei <[email protected]> wrote:
On 24 January 2012 06:59, Daniel Friesen <[email protected]>
wrote:
..
Don't delude yourself into thinking that you can easily blacklist the
elements that would run a script.
http://ha.ckers.org/xss.html
What about using textNodes?
http://stackoverflow.com/questions/476821/is-a-dom-text-node-guaranteed-to-not-be-interpreted-as-html
Then it's just text.
That's about as safe as throwing everything through htmlspecialchars, it's
fine.
I'm saying that you can't blacklist things. ie: You can't run a message
through a jquery message filter, try to strip out script tags from the dom
and then insert it thinking that you've removed all the XSS vectors.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
