|
|
Posted by "Lauri Harpf" on 10/21/81 11:21
> Well, unless you have set your server up to execute PHP or CGI scripts in
> .html files, which is a very bad idea, the only thing you need to worry
> about is client-side scripting. You could just filter out all
> <script></script> tags if client-side scripting isn't important for your
> application...
That's one of the problems I have, but it seems a tough nut to crack. If I
leave in the scripts, it opens a possibility of malicious scripts being fed
to a user through the application.
On the other hand, if I take out the scripts, I will be providing a broken
version of the original page. People are not going to be happy if my "llama
to alpaca"-application has the side effect of deleting all of their scripts.
I've been thinking of limiting this problem by preventing the direct
displaying of the code (ie. only allowing "Save As.." for the link to the
user-submitted HTML). I guess a bit of JS could prevent accidental
left-clicking on the link. I've also been thinking of passing a special
header for the HTML source code file, "Content-type:
application/octet-stream" to suggest downloading rather than displaying the
contents, but IE seems to just ignore it and display the HTML anyhow.
- Lauri Harpf
Navigation:
[Reply to this message]
|