|
|
|
|
|
|
by jrockway
5258 days ago
|
|
|
But of course, anyone that actually wants to protect against XSS attacks won't allow user input to be evaluated. If they did want to allow user-supplied Javascript, they wouldn't blacklist, they would whitelist (by parsing the user-supplied script and using the AST to emit only whitelisted operations). |
|
|