I want to strip almost every html tag from a string in javascript, allowing only a few basic tags
(& strip their attributes) to prevent Cross-Site-Scripting.
A lot of people say, it shouldn't be done with javascript, because clients might have javascript disabled, causing the filter to break. However my whole project depends on javascript, and no client with disabled javascript will ever see the output, plus I am unable to do it server-side.
(1) Am I right to assume in this case it might be done securely?
bobince recommends to use the DOM (instead of RegEx) to filter the potentially insecure input. I am certainly no XSS expert but because his example depends on the string being inserted to the DOM before the filter does his job, I could imagine it might be insecure because of something like:
var unsecureString = '<img src=".." onload="alert(\'bad\')" />';
$('#alice').update(unsecureString);
filterNodes($('#alice'), {p:[],a:['href']}); // see link above
(2) Can I be certain, the bad event above won't ever fire?
(3) If not: How to avoid such problems, but still use the DOM?
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 一夜七次 的文章《securely strip html tags in javascript with whitel》','https://www.manongdao.com/article-728116.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}