A way to clean up HTML (kill XSS content)

Post here if your message doesn't fit into another forum but is still about web development. Includes site critiques, web hosting and server questions, helpful software and resources, and more.
Post Reply
User avatar
MikeGale
Rank VI - Professional
Rank VI - Professional
Posts: 709
Joined: Mon Dec 13, 2004 1:50 pm
Location: Tannhauser Gate

A way to clean up HTML (kill XSS content)

Post by MikeGale » Thu Jul 19, 2012 8:48 pm

An area that is surprisingly poorly supported is ways to clean up HTML.

Considering that browsers do a lot of it all day every day, there's not a lot of good ways to automate the process, before publication.

Here's an approach which looks right to me. (I haven't tested this yet!)

http://j.mp/MuR91O

It's from Rick Strahl who does some excellent work.

Might be useful to some people around here.

User avatar
Albert Wiersch
Site Admin
Site Admin
Posts: 3417
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX
Contact:

Re: A way to clean up HTML (kill XSS content)

Post by Albert Wiersch » Mon Jul 23, 2012 11:12 am

Thanks Mike. Interesting stuff even though I don't use .NET (as of now anyway).

I do like this quote:
Sometimes I really feel sad that it's come this far - how many good applications and tools have been thwarted by fear of XSS attacks? So many things that could be done *if* we had a more secure browser experience and didn't have to deal with every little script twerp trying to hack into Web pages. So much time wasted building secure apps, so much time wasted by others trying to hack apps… We're a funny species - no other species manages to waste as much time, effort and resources as we humans do :-)
Image
Albert Wiersch

Post Reply