Web browsers are quite helpful: If you are a web-designer and you don't produce (X)HTML compliant pages, they will be rendered correctly anyway, because they quite fault-tolerant. But there are some features in some browsers that are questionable, here are some advanced examples:
Even though this file has a strange extension, IE will interpret the JavaScript […]
Tags: XSS and Rails
This is Rails' sanitize method:
sanitize(html) Sanitizes the html by converting <form> and <script> tags into regular text, and removing all "onxxx" attributes (so that arbitrary Javascript cannot be executed). It also removes xhref= and xsrc= attributes that start with "javascript:".
This is a blacklist method which removes potential harmful JavaScript. As I […]
Tags: XSS and Rails
