|
List Info
Thread: stripTags() function doesn't work properly as it expected to do
|
|
| stripTags() function doesn't work
properly as it expected to do |
|
2007-12-16 17:34:18 |
I've noticed a strange behavior of stripTags() function.
As the documentation says about stripTags(): Strips a string
of any
HTML tag.
But this function eliminates the tags only but not the
content inside.
I tested it with response with a mix of JSON data and some
HTML code.
Here it is:
******************* JSP PAGE
**********************************************
<% page language="java"
contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%taglib uri="http://www.atg.
com/taglibs/json" prefix="json" %>
<json:object>
<json:object name="elements">
<json:property name="Rating"
value="$" />
<json:property name="Count"
value="$"/>
</json:object>
</json:object>
<script>alert('Bye bye');</script>
<div>I will survive after stripTags()</div>
************************************************************
**********************
Then, in my JavaScript I typed following code(responseText
is
retrieved after AJAX execution, for simplicity I omit AJAX
code and
provide only a piece of callback function onAjaxLoad) :
//JavaScript code
var responseText =
responseText.stripScripts().stripTags().strip(); //
malicious text is still presented in response.
Function stripScripts() eliminates
<script>[content]</script> tag
totally. But after stripTags() finished the "I will
survive after
stripTags()" text is still presented in responseText.
Everything would be fine if the stripTags() function have
worked like
the stripScripts() did.
Is it correct behavior for stripTags() function?
If yes, then documentation should be changed.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffsgooglegroups.com
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=
en
-~----------~----~----~----~------~----~------~--~---
|
|
| Re: stripTags() function doesn't work
properly as it expected to do |
|
2007-12-16 17:39:06 |
Yeah, it's working correctly. The idea is to remove *only*
the tags,
in order to, for example, 'clean' client code. (You don't
want that
<h1> they put breaking up all your layout  )
If you look at the first example, you'll see that they
remove the tag,
but the content remains
Best,
-Nicolas
On Dec 16, 2007 9:34 PM, spyboost <spyboostgmail.com> wrote:
>
> I've noticed a strange behavior of stripTags()
function.
> As the documentation says about stripTags(): Strips a
string of any
> HTML tag.
> But this function eliminates the tags only but not the
content inside.
> I tested it with response with a mix of JSON data and
some HTML code.
> Here it is:
>
> ******************* JSP PAGE
> **********************************************
> <% page language="java"
contentType="text/html; charset=UTF-8"
> pageEncoding="UTF-8"%>
> <%taglib uri="http://www.atg.
com/taglibs/json" prefix="json" %>
> <json:object>
> <json:object name="elements">
> <json:property
name="Rating" value="$" />
> <json:property
name="Count" value="$"/>
> </json:object>
> </json:object>
> <script>alert('Bye bye');</script>
> <div>I will survive after
stripTags()</div>
>
************************************************************
**********************
>
> Then, in my JavaScript I typed following
code(responseText is
> retrieved after AJAX execution, for simplicity I omit
AJAX code and
> provide only a piece of callback function onAjaxLoad)
:
>
> //JavaScript code
> var responseText =
responseText.stripScripts().stripTags().strip(); //
> malicious text is still presented in response.
>
> Function stripScripts() eliminates
<script>[content]</script> tag
> totally. But after stripTags() finished the "I
will survive after
> stripTags()" text is still presented in
responseText.
>
> Everything would be fine if the stripTags() function
have worked like
> the stripScripts() did.
> Is it correct behavior for stripTags() function?
> If yes, then documentation should be changed.
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffsgooglegroups.com
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=
en
-~----------~----~----~----~------~----~------~--~---
|
|
| Re: stripTags() function doesn't work
properly as it expected to do |
|
2007-12-16 17:47:42 |
Thanks for quick reply
But documentation is confusing a little bit. Almost the same
text as
for stripScripts but absolutely different behavior.))
On 17 §Õ§Ö§Ü, 00:39, "Nicol¨¢s Sanguinetti"
<godf...gmail.com> wrote:
> Yeah, it's working correctly. The idea is to remove
*only* the tags,
> in order to, for example, 'clean' client code. (You
don't want that
> <h1> they put breaking up all your layout )
>
> If you look at the first example, you'll see that they
remove the tag,
> but the content remains
>
> Best,
> -Nicolas
>
> On Dec 16, 2007 9:34 PM, spyboost <spybo...gmail.com> wrote:
>
>
>
> > I've noticed a strange behavior of stripTags()
function.
> > As the documentation says about stripTags():
Strips a string of any
> > HTML tag.
> > But this function eliminates the tags only but not
the content inside.
> > I tested it with response with a mix of JSON data
and some HTML code.
> > Here it is:
>
> > ******************* JSP PAGE
> > **********************************************
> > <% page language="java"
contentType="text/html; charset=UTF-8"
> > pageEncoding="UTF-8"%>
> > <%taglib uri="http://www.atg.
com/taglibs/json" prefix="json" %>
> > <json:object>
> > <json:object
name="elements">
> > <json:property
name="Rating" value="$" />
> > <json:property
name="Count" value="$"/>
> > </json:object>
> > </json:object>
> > <script>alert('Bye bye');</script>
> > <div>I will survive after
stripTags()</div>
> >
************************************************************
**********************
>
> > Then, in my JavaScript I typed following
code(responseText is
> > retrieved after AJAX execution, for simplicity I
omit AJAX code and
> > provide only a piece of callback function
onAjaxLoad) :
>
> > //JavaScript code
> > var responseText =
responseText.stripScripts().stripTags().strip(); //
> > malicious text is still presented in response.
>
> > Function stripScripts() eliminates
<script>[content]</script> tag
> > totally. But after stripTags() finished the
"I will survive after
> > stripTags()" text is still presented in
responseText.
>
> > Everything would be fine if the stripTags()
function have worked like
> > the stripScripts() did.
> > Is it correct behavior for stripTags() function?
> > If yes, then documentation should be changed.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffsgooglegroups.com
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=
en
-~----------~----~----~----~------~----~------~--~---
|
|
| Re: stripTags() function doesn't work
properly as it expected to do |
|
2007-12-16 17:58:01 |
Well, would you like to submit a documentation patch? 
Best,
-N
On Dec 16, 2007 9:47 PM, spyboost <spyboostgmail.com> wrote:
>
> Thanks for quick reply
> But documentation is confusing a little bit. Almost the
same text as
> for stripScripts but absolutely different behavior.))
>
> On 17 §Õ§Ö§Ü, 00:39, "Nicol¨¢s Sanguinetti"
<godf...gmail.com> wrote:
> > Yeah, it's working correctly. The idea is to
remove *only* the tags,
> > in order to, for example, 'clean' client code.
(You don't want that
> > <h1> they put breaking up all your layout
)
> >
> > If you look at the first example, you'll see that
they remove the tag,
> > but the content remains
> >
> > Best,
> > -Nicolas
> >
>
> > On Dec 16, 2007 9:34 PM, spyboost <spybo...gmail.com> wrote:
> >
> >
> >
> > > I've noticed a strange behavior of
stripTags() function.
> > > As the documentation says about stripTags():
Strips a string of any
> > > HTML tag.
> > > But this function eliminates the tags only
but not the content inside.
> > > I tested it with response with a mix of JSON
data and some HTML code.
> > > Here it is:
> >
> > > ******************* JSP PAGE
> > >
**********************************************
> > > <% page language="java"
contentType="text/html; charset=UTF-8"
> > > pageEncoding="UTF-8"%>
> > > <%taglib uri="http://www.atg.
com/taglibs/json" prefix="json" %>
> > > <json:object>
> > > <json:object
name="elements">
> > > <json:property
name="Rating" value="$" />
> > > <json:property
name="Count" value="$"/>
> > > </json:object>
> > > </json:object>
> > > <script>alert('Bye
bye');</script>
> > > <div>I will survive after
stripTags()</div>
> > >
************************************************************
**********************
> >
> > > Then, in my JavaScript I typed following
code(responseText is
> > > retrieved after AJAX execution, for
simplicity I omit AJAX code and
> > > provide only a piece of callback function
onAjaxLoad) :
> >
> > > //JavaScript code
> > > var responseText =
responseText.stripScripts().stripTags().strip(); //
> > > malicious text is still presented in
response.
> >
> > > Function stripScripts() eliminates
<script>[content]</script> tag
> > > totally. But after stripTags() finished the
"I will survive after
> > > stripTags()" text is still presented in
responseText.
> >
> > > Everything would be fine if the stripTags()
function have worked like
> > > the stripScripts() did.
> > > Is it correct behavior for stripTags()
function?
> > > If yes, then documentation should be changed.
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffsgooglegroups.com
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=
en
-~----------~----~----~----~------~----~------~--~---
|
|
| Re: stripTags() function doesn't work
properly as it expected to do |
|
2007-12-19 09:29:11 |
Well, no I think
now it describes the behavior well At least
I
know what it does.
On 17 §Õ§Ö§Ü, 00:58, "Nicol¨¢s Sanguinetti"
<godf...gmail.com> wrote:
> Well, would you like to submit a documentation patch?
>
> Best,
> -N
>
> On Dec 16, 2007 9:47 PM, spyboost <spybo...gmail.com> wrote:
>
>
>
> > Thanks for quick reply
> > But documentation is confusing a little bit.
Almost the same text as
> > for stripScripts but absolutely different
behavior.))
>
> > On 17 §Õ§Ö§Ü, 00:39, "Nicol¨¢s
Sanguinetti" <godf...gmail.com> wrote:
> > > Yeah, it's working correctly. The idea is to
remove *only* the tags,
> > > in order to, for example, 'clean' client
code. (You don't want that
> > > <h1> they put breaking up all your
layout )
>
> > > If you look at the first example, you'll see
that they remove the tag,
> > > but the content remains
>
> > > Best,
> > > -Nicolas
>
> > > On Dec 16, 2007 9:34 PM, spyboost
<spybo...gmail.com> wrote:
>
> > > > I've noticed a strange behavior of
stripTags() function.
> > > > As the documentation says about
stripTags(): Strips a string of any
> > > > HTML tag.
> > > > But this function eliminates the tags
only but not the content inside.
> > > > I tested it with response with a mix of
JSON data and some HTML code.
> > > > Here it is:
>
> > > > ******************* JSP PAGE
> > > >
**********************************************
> > > > <% page
language="java" contentType="text/html;
charset=UTF-8"
> > > > pageEncoding="UTF-8"%>
> > > > <%taglib uri="http://www.atg.
com/taglibs/json" prefix="json" %>
> > > > <json:object>
> > > > <json:object
name="elements">
> > > > <json:property
name="Rating" value="$" />
> > > > <json:property
name="Count" value="$"/>
> > > > </json:object>
> > > > </json:object>
> > > > <script>alert('Bye
bye');</script>
> > > > <div>I will survive after
stripTags()</div>
> > > >
************************************************************
**********************
>
> > > > Then, in my JavaScript I typed following
code(responseText is
> > > > retrieved after AJAX execution, for
simplicity I omit AJAX code and
> > > > provide only a piece of callback
function onAjaxLoad) :
>
> > > > //JavaScript code
> > > > var responseText =
responseText.stripScripts().stripTags().strip(); //
> > > > malicious text is still presented in
response.
>
> > > > Function stripScripts() eliminates
<script>[content]</script> tag
> > > > totally. But after stripTags() finished
the "I will survive after
> > > > stripTags()" text is still
presented in responseText.
>
> > > > Everything would be fine if the
stripTags() function have worked like
> > > > the stripScripts() did.
> > > > Is it correct behavior for stripTags()
function?
> > > > If yes, then documentation should be
changed.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffsgooglegroups.com
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=
en
-~----------~----~----~----~------~----~------~--~---
|
|
[1-5]
|
|