Re: strip_tags - HTML tag stripper

Subject: Re: strip_tags - HTML tag stripper
From: &quot;Yuri Takhteyev&quot; &lt;yuri@ ... &gt;
Date: Tue, 22 Apr 2008 02:32:21 -0700

This <a href="" _onClick_="<script src="" is not even XML... I wonder how an XML parser could consider the part <script src="" a tag. It is just the value of an attribute and as such, it should first be escaped to be correct. But it is not and will never be a tag, except with a Jim Whitehead II's xml parser :)

My XSSFilter (which now has a website [1] and is available as a rock [2]) returns nil and an error message for this input. Which I think is a sensible thing to do. If you escape the angle brackets, then the tag will be included, though you will need to tell the filter to be liberal and to allow onclick and src that doesn't start with "http://".

BTW, the XML parser I am using is just Roberto's parser from the LuaXML page on the wiki.

- yuri

[1]: http://sputnik.freewisdom.org/lib/xssfilter/
[2]: "luarocks install xssfilter"