Open paradoxxxzero opened 10 years ago
Following to a discussion with GateOne developer, this should be reintroduced as a DCS control rather than dirty OSC99 hack. The escape format will be:
\x90;TYPE|CONTENT\x9c
Where TYPE here will be HTML
and content the raw html to be stripped.
Ftr my example svg had no script tags On Mar 7, 2014 4:20 AM, "Mounier Florian" notifications@github.com wrote:
Following to a discussion with GateOne developer, this should be reintroduced as a DCS control rather than dirty OSC99 hack. The escape format will be:
\x90;TYPE|CONTENT\x9c
Where TYPE here will be HTML and content the raw html to be stripped.
Reply to this email directly or view it on GitHubhttps://github.com/paradoxxxzero/butterfly/issues/22#issuecomment-36979996 .
Yes, all on* attributes must be removed too. I was wondering, maybe using an embed tag with a data url should be enough to prevent any exploit ?
Use a good script stripping method to clean the inserted html to avoid mailicious script injection.
http://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression and https://github.com/LiftoffSoftware/htmltag/blob/master/htmltag.py#L186
could be a start.