Protecting against evil code fragments with HTML Purifier
Posted by: brunascle
on July 11, 2008 08:22 PM
The way I validate user-submitted HTML is to, before they submit the form, use javascript to set a hidden div's innerHTML equal to the HTML they wrote. The browser parses the HTML into the DOM. I then have javascript spider through the DOM it created and rewrite the HTML into valid XML. The XML is submitted, and the server side codes spiders through it (with an XML library) recreating the whole thing, but only copying over elements and attributes that are explicitly allowed.
It works well, but the more tags you want to allow the more complicated the server side code gets.
Learn about Linux
Download Linux
Get Linux help
Protecting against evil code fragments with HTML Purifier
Posted by: brunascle on July 11, 2008 08:22 PMIt works well, but the more tags you want to allow the more complicated the server side code gets.
#