Re: Preventing cross site scripting

[Laurian Gridinoc <laur () grapefruitdesign com>]

The most elegant way to control html input would be to parse it to a DOM
tree and control it from there; I'm widely using Tidy to `correct' the
input to XHTML, then by a simple XSL transformation I can filter/alter
whatever elements I need.

You want to drop the `object' element, just write `<xsl:template
match="object" />', you want to ignore it (preserve the content it
wraps) just write `<xsl:template match="object"><xsl:apply-templates
/></xsl:template>', you want to copy everything else: 

<xsl:template match="*|@*|text()|comment()">
    <xsl:copy>
        <xsl:apply-templates select="*|@*|text()|comment()" />
    </xsl:copy>
</xsl:template>


I consider filtering html as it was a mere string (i.e. using regexp or
simple replace methods) pretty uncertain in results and not quite
programming :) -- it's a language, it has a grammar, then use a parser.

Cheers,
-- 
Laurian Gridinoc
Chief Developer
GRAPEFRUIT DESIGN

tel/fax: +40.232.233068
tel/fax: +1.646.349.2916
mobile: +40.745.304379
e-mail: laur () gd ro
www.grapefruitdesign.com
www.gd.ro