Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
nraynaud
on April 14, 2014
|
parent
|
context
|
favorite
| on:
*NEVER* sanitize your inputs
Well in HTML you can use a sandboxed iframe (or <webview> in technologies that have it), but it's not cheap.
tokenizerrr
on April 14, 2014
[–]
I just remembered visiting a website that used iframe's with script tags disabled for users their signatures. It was a pretty interesting approach.
ceejayoz
on April 14, 2014
|
parent
[–]
I just hope they used a proper lib like Purifier to do it, or someone's going to have fun with `onmouseover`.
nraynaud
on April 14, 2014
|
root
|
parent
[–]
I think that when it's sandboxed with the proper attributes, you can't do anything appart from trashing the content of the frame.
ceejayoz
on April 14, 2014
|
root
|
parent
[–]
I had no clue that was so widely supported. No IE8/9 but virtually everything else. Neato!
http://caniuse.com/#feat=iframe-sandbox
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
