I wrote a webmail app once, where cross site scripting was a concern for html email messages.
I parsed the html message to a dom with htmlcleaner, then removed all <script ...> tags , onXXX="..." attributes, and href="javascript:..." links before displaying the message. Perhaps it's over the top for your scenario, but it's a safe solution against XSS. :) http://htmlcleaner.sourceforge.net/ Martin On Fri, 23 May 2008 17:45:02 +0200, Peter Stavrinides <[EMAIL PROTECTED]> wrote: > Thanks Howard, we will give it a try... this is more appropriate for our > requirements! > > cheers, > Peter > ----- Original Message ----- > From: "Howard Lewis Ship" <[EMAIL PROTECTED]> > To: "Tapestry users" <users@tapestry.apache.org> > Sent: Friday, 23 May, 2008 6:20:21 PM GMT +02:00 Athens, Beirut, Bucharest, > Istanbul > Subject: Re: Tapestry 5 validation for cross site scripting > > Using the "parseClient" event, you could intercept the string > submitted by the user and do the filtering before the value is > assigned to a page property. > > You could also design a translator for this purpose. > > On Fri, May 23, 2008 at 3:41 AM, Peter Stavrinides > <[EMAIL PROTECTED]> wrote: >> Hi All >> >> Can anyone offer suggestions on best practice for handling validation >> specifically for preventing cross site scripting and code injection etc in >> Tapestry applications. Is there anything built into the framework I could >> use... if not what is the best way to plug something of my own in. What I >> mean is should I write my own validator/s and use them in every form >> component?, or is there a more elegant way I should know about, say a filter >> or something? Does anyone use a 3rd party library written specifically for >> this? >> >> Thanks >> Peter --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
