This is the mail archive of the
xsl-list@mulberrytech.com
mailing list .
xhtml sanitizer
- From: Guy McArthur <guym at guymcarthur dot com>
- To: xsl-list at lists dot mulberrytech dot com
- Date: Fri, 19 Jul 2002 10:18:20 -0700 (MST)
- Subject: [xsl] xhtml sanitizer
- Reply-to: xsl-list at lists dot mulberrytech dot com
What would be the best way to implement an html "sanitizer"?
E.g. for web-based input forms, you want to prevent cross-site scripting
and other attacks.
One way would be to allow xhtml input (but it's probably unreasonable to
assume that people would input syntatically correct xhtml), and then have
a DTD of allowed elements and attributes. On validation error the user is
thrown back to the form. Another way could be to have an xsl that copies
only allowed nodes.
Comments? Is this still a job best left to other things, like regular
expressions?
--
Guy McArthur * email{guym@arizona.edu} http{guymcarthur.com}
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list