PDA

View Full Version : Feature request... Add stripping of inline javascript to stripScripts()



zhegwood
24 Apr 2009, 8:21 AM
I'm just thinking it'd be helpful to strip inline javascript events as well as the <script> tags and their content.

lukas
4 Dec 2009, 7:31 AM
Ext misses any function to sanitize html code :-(

There is a google-caja project (which includes a javascript sanitizer: http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer), which would be valuable to mention in the doc (in stripScripts) and mention that stripScript isn't secure at all.

(google-caja works by whitelisting secure tags, attributes and css. If you like, you can define your own whitelists: http://code.google.com/p/google-caja/wiki/CajaWhitelists).


The best solution is to implement secure sanitize_html() in ext :-)