There's more than one way to do things | |
PerlMonks |
(crazyinsomniac) Re: Turn JavaScript off on HomeNodesby crazyinsomniac (Prior) |
on Sep 03, 2001 at 10:17 UTC ( [id://109821]=note: print w/replies, xml ) | Need Help?? |
That will not adequately strip javascript.
Slashdot|MS Security: On A Path As Clear As It Is Reliable pointed me to Expert hacks Hotmail in 1 line of code which in turn pointed me here, which reveals that STYLE tags in netscape will execute the stuff enclosed in style tags as javascript, if the TYPE attribute of the style tag is "application/x-javascript". Your code: 56: $str=~s/<script[^>]*>.*?<\/script[^>]*>//igs if $$USER{jsoff}; My addition (you're welcome to improve): Also evil are object, applet and embed tags (i'm sure there are others). update: a slightly smarter version update: OeufMayo says in the cb, what about: <a href="#" onClick="alert('evil javascript here');"> Well I thought htmlScreen would take care of it, but you do override the filter
In Section
Perl Monks Discussion
|
|