sanitize html injection

mzhilyaev commented 10 years ago

according to amo-editor - we need to do that when catanation happens

Mardak commented 10 years ago

https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/DOM_Building_and_HTML_Insertion#innerHTML_with_HTML_Escaping

mzhilyaev commented 10 years ago

We can also use bleach from here https://github.com/brianloveswords/bleach.js

oyiptong commented 10 years ago

importing bleach.js exposes an object called Bleach in the global scope

Running a few test strings:

> Bleach.clean("&amp; this is awesome");
"&amp; this is awesome"

> Bleach.clean("sweet & sour");
"sweet &amp; sour"

For html tags, if you want to escape, you need to give it a whitelist. By default, it will allow all tags.

> Bleach.clean("a <a href='javascript:evilness()'>i'll be good i promise</a>");
"a <a href="javascript:evilness()">i'll be good i promise</a>"

> Bleach.clean("a <a href='javascript:evilness()'>i'll be good i promise", {tags: []});
"a &lt;a href="javascript:evilness()"&gt;i'll be good i promise&lt;/a&gt;"

If you want to strip out all html altogether, in addition to the tags whitelist, you can specify the strip parameter.

> Bleach.clean("a <a href='javascript:evilness()'>i'll be good i promise</a>", {strip: true, tags: []});
"a i'll be good i promise"

mzhilyaev commented 10 years ago

js/bleach.js seems to clash with nytimes ribbon. Here's an error I get when loading bleach along with headliner-ribbon.js

JavaScript error: http://a1.nyt.com/assets/foundation/20140131-140053/js/foundation/lib/framework.js, line 1: Error: Mismatched anonymous define() module: function () {....

Mardak / profile

sanitize html injection #55