Hacker News new | past | comments | ask | show | jobs | submit login

You can use the options to set the output as text() rather than html(), e.g. $('div').magicpreview('mp_', { 'change': 'text' });

But yes, I should really add a flag to strip out any script elements :)




XSS detection is not just as simple as that. For example, in IE, entering the following produces a pop-up:

   <table style="background-image:url(javascript:alert(1))"><tr><td>Hi</td></tr></table>
However, read debt's comment below. XSS is irrelevant here since "XSS" means cross-site scripting, i.e., ,managing to embed Javascript into pages someone ELSE sees. Only the client sees this, it doesn't get reproduced for anyone else.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: