ansaurus

Question

Javascript injection

Answer 1

+1 A:

Try using HTML Purifier to specify just what types of HTML you want to allow to protect yourself from such XSS attacks.

Matchu 2010-03-03 15:06:44

Answer 2

A:

If you're worried about XSS, you need to process the input on the server side to make sure there's no JavaScript in it. Hopefully this Perl example will help (apologies for the regex, it's not my strong suit)

use strict;
my $str = <<HTML;
<body>
        <div>
                sfdasfasdfs
                <script type="text/javascript">
                        window.location.href = "http://badsite.com";
                </script>
                sadfssdfssdf
        </div>
</body>
HTML

$str =~ s/<script.*?>[\s\w\d\W]*<\/script>//g;

print "$str\n";

Mike Thomsen 2010-03-03 15:21:08

This won't strip out most of the examples given in the question. Nor, for that matter, would it strip out `<SCRIPT>`! Use an HTML parser to parse HTML. Writing sufficient regular expressions to make a piece of HTML safe is very difficult (and will end up with a lot of code).

David Dorward 2010-03-03 18:49:04

ansaurus

tags:

views:

answers:

Javascript injection

related questions