Cleaning all inline events from HTML tags

Posted by Itay Moav on Stack Overflow See other posts from Stack Overflow or by Itay Moav
Published on 2009-08-11T03:59:42Z Indexed on 2010/04/08 12:03 UTC
Read the original article Hit count: 362

Filed under:

html

|

sanitization

|

security

|

xss

For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,)

So onclick="location.href='ggg.com'"
will become onclick%3D"location.href%3D'ggg.com'"

What am I missing here?

Edit: I do need to accept active HTML (I can't escape it all or entities is it).

© Stack Overflow or respective owner

Related posts about html

Install usblib package - Ubuntu

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I need the package libusb for another package I am installing. I tried the following which seemed to install the package, sudo apt-get install libusb-dev but when I try to install the other package I get, configure: error: Package requirements (libusb-1.0 >= 0.9.1) were not met: No package… >>> More
Prevent malicious vulnerability scan increasing load on a server

as seen on Server Fault - Search for 'Server Fault'
Hi all, this week we have been suffering some malicious vulnerability scans to our servers, increasing the load on them, making them nearly unusable. The attack is easy to defend, just blocking the offending ip, but only after discovering it. Is there any form of prevent it? Is it normal that… >>> More
can't install psycopg2 in my env on mac os x lion

as seen on Server Fault - Search for 'Server Fault'
I tried install psycopg2 via pip in my virtual env, but got this error: ld: library not found for -lpq (full log here: http://pastebin.com/XdmGyJ4u ) I tried install postgres 9.1 from .dmg and via port, (gksks)iMac-Alexander:~ lorddaedra$ locate libpq /Developer/SDKs/MacOSX10.7.sdk/usr/include/libpq /Developer/SDKs/MacOSX10… >>> More
Bitnami redmine error SVN

as seen on Server Fault - Search for 'Server Fault'
I'm installing the Bitnami Redmine stack (redmine + subversion). Firstly I install configure and test it locally (Ubuntu 14.04 LTS). And everything is OK. I install Bitnami stack on server (Red Hat 4.4.7-4) and configure SVN. I commit files into SVN and connect project into Redmine with SVN repository… >>> More
Can the .htaccess file slow down a website to a crawl? If so, are there better ways to solve these problems with different rewrite rules and such?

as seen on Pro Webmasters - Search for 'Pro Webmasters'
here is my htaccess file...... RewriteCond %{REQUEST_URI} ^/patients/billing/FAQ_billing\.html$ [OR] RewriteCond %{REQUEST_URI} ^/patients/billing/getintouch\.html$ RewriteRule ^patients/billing/(.*)\.html$ $1.php [L,NC] RewriteCond %{REQUEST_URI} ^/patients/findadoctor/a\.html$ [OR] RewriteCond… >>> More

Related posts about sanitization

Skip sanitization for videos in html5lib

as seen on Stack Overflow - Search for 'Stack Overflow'
I am using a wmd-editor in django, much like this one in which I am typing. I would like to allow the users to embed videos in it. For that I am using the Markdown video extension here. The problem is that I am also sanitizing user input using html5lib sanitization and it doesn't allow object tags… >>> More
Is there a PHP library that performs MySQL Data Validation and Sanitization According to Column Type

as seen on Stack Overflow - Search for 'Stack Overflow'
Do you know of any open source library or framework that can perform some basic validation and escaping functionality for a MySQL Db. i envisage something along the lines of: //give it something to perform the quote() quoteInto() methods $lib->setSanitizor($MyZend_DBAdaptor); //tell it structure… >>> More
PHP preg_replace() pattern, string sanitization.

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a regex email pattern and would like to strip all but pattern-matched characters from the string, in a short I want to sanitize string... I'm not a regex guru, so what I'm missing in regex? <?php $pattern = "/^([\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+\.)*[\w\!\#$\%\&\'\*\+\-\/\=\… >>> More
Explanation of this SQL sanitization code

as seen on Stack Overflow - Search for 'Stack Overflow'
I got this from for a login form tutorial: function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } Could some one explain exactly what this does? I know that the… >>> More
Are these two functions overkill for sanitization?

as seen on Stack Overflow - Search for 'Stack Overflow'
function sanitizeString($var) { $var = stripslashes($var); $var = htmlentities($var); $var = strip_tags($var); return $var; } function sanitizeMySQL($var) { $var = mysql_real_escape_string($var); $var = sanitizeString($var); return $var; } I got these two functions from… >>> More