in reply to Re: Re: Checking forms for JavaScript
in thread Checking forms for JavaScript

Valid point. But I think other event handlers also need covering - if we're gonna one, we'd better cover *anything* that can trigger code.

And I guess you should strip all links that start "javascript:" - arghhhh.

So I guess we'd need to add something like: 

# javascript:
$text =~ s/(["'])\s*javascript:.*?\1/"'/gis;

# event handlers (on + 4 chars is min length)
$test =~ s/\bon\w{4,}\s*=\s*(['"]).*?\1//gis;

[download]

Untested, but I think that might do the trick...

Have I missed anything?

cLive ;-)

Replies are listed 'Best First'.
Re: Re: Checking forms for JavaScript
by shotgunefx (Parson) on Jul 24, 2001 at 11:42 UTC
    Duh, I forgot all about javascript urls.

    I don't know what the purpose of this particular application in question is but it may be a good idea to yank object and applet tags as well.

    -Lee

    "To be civilized is to deny one's nature."
[reply]

In Section Seekers of Perl Wisdom