das88
23 Aug 2007, 8:10 AM
I've been developing (ok, more futzing around) with an application that allows multiple people to edit data in Ext EditorGrid that will then be widgetized to display on multiple websites.
With such a structure, I'm worried about HTML/Script injection. For example, with a minimal grid someone could easily input into a text field
<script>alert('Hello World!')</script>
With the flexability of Ext, there are a number of places to filter this out, and I was wondering what people thought was the best approach.
1) Create new vtypes and don't let injection attacks validate
2) create custom renders that strip out the tags and also deal with it on the server-side
3) something else???
With such a structure, I'm worried about HTML/Script injection. For example, with a minimal grid someone could easily input into a text field
<script>alert('Hello World!')</script>
With the flexability of Ext, there are a number of places to filter this out, and I was wondering what people thought was the best approach.
1) Create new vtypes and don't let injection attacks validate
2) create custom renders that strip out the tags and also deal with it on the server-side
3) something else???