Results 1 to 2 of 2

Thread: Feature request... Add stripping of inline javascript to stripScripts()

  1. #1
    Ext User zhegwood's Avatar
    Join Date
    Dec 2007
    Location
    Boulder, CO Suburbia (Lafayette)
    Posts
    388

    Default Feature request... Add stripping of inline javascript to stripScripts()

    I'm just thinking it'd be helpful to strip inline javascript events as well as the <script> tags and their content.

  2. #2

    Default secure sanititze_html

    Ext misses any function to sanitize html code :-(

    There is a google-caja project (which includes a javascript sanitizer: http://code.google.com/p/google-caja...sHtmlSanitizer), which would be valuable to mention in the doc (in stripScripts) and mention that stripScript isn't secure at all.

    (google-caja works by whitelisting secure tags, attributes and css. If you like, you can define your own whitelists: http://code.google.com/p/google-caja...CajaWhitelists).


    The best solution is to implement secure sanitize_html() in ext :-)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •