[jdev] Re: XHTML-IM XEP implementation
Bernhard Zwischenbrugger
bz at datenkueche.com
Fri Jan 5 07:15:13 CST 2007
Hi
I'm looking for a xss filter, but couldn't find a xslt based
filter for xhtml.
I make browser based jabber clients and the problem with
xhtml (svg) is, that it is very difficult to get rid of javascript.
If a "cracker" is able to execute javascript in my client, he is able
to take over the account - that's not good.
Here I tried to make a filter:
http://lamp2.fh-stpoelten.ac.at/%7Elbz/beispiele/ws2006/xss/
If somebody has a better filter please tell me. Otherwise feel free to
test and improve it.
Bernhard
> Indeed. And on top of that, client implementations that support
> XHTML-IM, are strongly urged to sanitize incoming messages instead of
> blindly feeding it to an embedded HTML renderer. This is how malware
> gets its chance.
>
> This also goes for a possible XHTML document enclosure XEP, or any other
> non-local data for that matter.
>
More information about the JDev
mailing list