|
|
|
|
|
|
by aban
3457 days ago
|
|
|
This is not true, at least not anymore. Yesod uses xss-sanitize [0], and their sanitize function does indeed prevent "javascript:" attempts. They even have a test case for it [1]. Playing around with it in the REPL: Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=javascript:alert('XSS')>"
"<img>"
Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=\"javascript:alert('XSS')\">"
"<img>"
Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=fine>"
"<img src=\"fine\">"
Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=\"this is ok too\">"
"<img src=\"this is ok too\">"
[0]: https://hackage.haskell.org/package/xss-sanitize[1]: https://github.com/yesodweb/haskell-xss-sanitize/blob/9a9101... |
|
|