发表新帖
发表新帖

Filtering JavaScript out of HTML

后端 未结
关注
6 1636
走了就别回头了
走了就别回头了 2020-12-16 05:29

I have a rich text editor that passes HTML to the server. That HTML is then displayed to other users. I want to make sure there is no JavaScript in that HTML. Is there any w

6条回答
  • 悲&欢浪女
    悲&欢浪女 (楼主)
    2020-12-16 06:03

    As pointed out by Lee Theobald, that's a very dangerous plan. You cannot by definition ever produce "safe" HTML by filtering/blacklisting, since the user might put stuff into the HTML that you didn't think about (or that don't even exist in your browser version, but does in others).

    The only safe way is a whitelisting approach, i.e. strip everything but plain text and certain specific HTML constructs. This incidentially is what stackoverflow.com does :-).

    0 讨论(0)
 看不清?
提交回复
热议问题