Sanitising HTML

It was pointed out to me that comments on my old posts were showing as raw HTML (you know, a sort of \<p>this is a comment\</p> sort of thing). I knew this. However, the reason it was like that is because it occurred to me about five minutes after releasing thort, the engine that now runs this place, that comment HTML was just displayed. Unsanitised.

Cross-site scripting, anyone? Oops.

So I just threw an “escape” filter into my comment template (which uses the great Trimpath JavaScript templating engine) so that I couldn’t be brutally pwnt by anyone posting a comment.

Finally this evening I thought: I’d better do something about that. Two minutes of Googling brought me to Caja’s HTML sanitizer, written in JavaScript. It was the work of but a moment to throw that into the CouchDB view that generates comments so that outputted comment HTML was sanitized. It was the work of but one more moment to also throw that into the client-side JavaScript that displays a posted comment. It’s really nice being able to use exactly the same code on client and server.

More in the discussion (powered by webmentions)

  • (no mentions, yet.)