Hacking stackoverflow.com's HTML sanitizer
-
Unicode strikes again!
[spoiler]<img ̊ onmouseover="[...]"> [/spoiler]
Because somehow
[spoiler]"<img ̊".StartsWith("<img") == false[/spoiler](note: the exploit is from 2009 but the article is new)
-
I was able to write a no-nonsense, special purpose HTML sanitizer in about 25 lines of code -- Jeff
Just like Dicsource eh?
-
Curiously, it doesn't work on Discourse. Maybe Jeff decided that it was ok to use more than 25 lines of code to do an entire forum's security.
-
-
I was able to write a no-nonsense, special purpose HTML sanitizer in about 25 lines of code -- Jeff
[code]
/**- 20 lines of comments about how awesome I am
- ....
*/
function HTMLsanitizer(html) {
return html.match(/[a-zA-Z0-9.,;<>/]/mgi).join("");
}
[/code]
-
Curiously, it doesn't work on Discourse. Maybe Jeff decided that it was ok to use more than 25 lines of code to do an entire forum's security.
But look at all the bytes you can save!!!!!
-
"... alt=""[^""]*"" ..."
Regexes and C#-style quote escaping don’t mix well...
Filed under: It’s like transmitting line noise on a noisy link
-
techncially that's only three lines of code as any proper JS optimizer will throw out the comments to save parse time and wire size
-
Then technically every JS ever is only 1 line of code, as a minimizer will remove any wasted carriage returns.
-
ok, yes.
fair point, but a line of code a couple of thousand miles long is stretching it a bit.