|
If formatting is important, but you want to prevent JavaScript from being executed, you will need to remove < script > blocks from the text. Most development platforms will provide utilities, either in a separate utility class or as part of the string class. This might still leave loopholes; for example, the following nefarious HTML is only partially cleansed by removing < script > tags:
In this case, executable JavaScript is embedded as an attribute of an otherwise allowable HTML construct, not as the body of a script tag. The only reliable way to ensure that such JavaScript isn't executed is to HTML-encode the remainder of the string after stripping the < script > block. If you must allow users to upload formatted data to your Web application, take advantage of one of the many markup syntaxes that exist (such as Textile, Markdown or others). These syntaxes provide a custom markup language that can be translated into fully formatted HTML by a server-side library prior to rendering, but that do not give the user access to items like < script > blocks and event handlers. Finally, when using a client-side Ajax framework, make sure you understand how to turn automatic JavaScript parsing on or off. Your default strategy should be to disallow it, though some development frameworks, such as Ruby on Rails, will expect a more liberal policy on JavaScript execution due to the nature of its built-in Ajax support.
Standardized and customized data (de)serializers. If you are using structured data, make sure you have an appropriate parser for the syntax (standard parsers are available for all popular syntax). If using XML, create or use an existing schema that can be used to validate document structure and content. Many microformats have such schemas, and you should enable your XML library's validation for any inbound or outbound data.
|
