HTMLSanitiser how to strip out SCRIPT tags
Brought to you by:
mjericho
Menu
▾
▴
Hi,
I'm sanitizing html submitted with CKEditor and I want to completely remove scripts if they are submitted.
Currently if I have text like this:
<script>alert('hack');</script>it ends up like:
alert('hack');
Is there a way to make the sanitizer remove everything inside a script tag as well as as the tag itself?
Hi Dan,
The HTMLSanitiser.stripInvalidMarkup method does exactly that. See the output of the sample program for a working demonstration.
If you need to customise it in any way the source code of HTMLSanitiser is pretty straight-forward to understand and tweak to requirements.
Cheers
Martin
In your test you have:
But I would want it to be:
Sorry you're right. Maybe I shouldn't respond so late at night!
The HTMLSanitiser sample program is designed to allow a web page to safely include user generated HTML in a page.
I think the idea behind leaving the contents of a script element visible was to highlight the fact that someone has tried to insert script into the content, which is arguably a better way to handle an attempted security breach than to just hide it completely. I'd suggest you explicitly check for script tags and log some sort of alert if they are found.
Regardless, I've modified the code in release 3.4 to check for script elements and remove their entire content.
Until version 3.4 is officially released, the development version is available here:
http://jericho.htmlparser.net/temp/jericho-html-3.4-dev.zip
Cheers
Martin