Results 1 to 2 of 2

Thread: Feature request... Add stripping of inline javascript to stripScripts()

  1. 24 Apr 2009, 8:21 AM #1
    zhegwood
    zhegwood is offline
    Ext User zhegwood's Avatar
    Join Date
    Dec 2007
    Location
    Boulder, CO Suburbia (Lafayette)
    Posts
    388

    Default Feature request... Add stripping of inline javascript to stripScripts()

    I'm just thinking it'd be helpful to strip inline javascript events as well as the <script> tags and their content.
  2. 4 Dec 2009, 7:31 AM #2
    lukas
    lukas is offline
    Ext User
    Join Date
    Apr 2007
    Posts
    7

    Default secure sanititze_html

    Ext misses any function to sanitize html code :-(

    There is a google-caja project (which includes a javascript sanitizer: http://code.google.com/p/google-caja...sHtmlSanitizer), which would be valuable to mention in the doc (in stripScripts) and mention that stripScript isn't secure at all.

    (google-caja works by whitelisting secure tags, attributes and css. If you like, you can define your own whitelists: http://code.google.com/p/google-caja...CajaWhitelists).


    The best solution is to implement secure sanitize_html() in ext :-)
« allowblank linked to a group of fields | FormPanel and Remote Validation »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules