On 24 January 2012 15:57, Daniel Friesen <[email protected]> wrote:
> On Tue, 24 Jan 2012 06:16:48 -0800, Tei <[email protected]> wrote:
>
>> On 24 January 2012 06:59, Daniel Friesen <[email protected]>
>> wrote:
>> ..
>>>
>>> Don't delude yourself into thinking that you can easily blacklist the
>>> elements that would run a script.
>>> http://ha.ckers.org/xss.html
>>>
>>
>> What about using textNodes?
>>
>> http://stackoverflow.com/questions/476821/is-a-dom-text-node-guaranteed-to-not-be-interpreted-as-html
>
>
> Then it's just text.
> That's about as safe as throwing everything through htmlspecialchars, it's
> fine.
>
> I'm saying that you can't blacklist things. ie: You can't run a message
> through a jquery message filter, try to strip out script tags from the dom
> and then insert it thinking that you've removed all the XSS vectors.
>
People on the internet suggest something like $("<div/>").text(
"<script>alert('lets do evil!')</script>" ).html();
postdata:
Some random code I just wrote.
var Stringbuilder = (function(){
var text = [];
return {
add:function(txt){ text.push(txt); return this;},
encode:function(txt){ text.push( new String( $("<div/>").text( txt
).html() ) ); return this;},
toString:function() { return text.join(""); }
};
});
var str = Stringbuilder();
str.add("<table>")
. add("<tr>")
. add("<td>")
. encode("<script>alert('lets do evil!)</script>")
. add("</td>")
. add("</tr>")
. add("</table>");
str.toString();
--
--
ℱin del ℳensaje.
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
