You are not logged in.
As I understand Xinha works by simply replacing a <textarea> and html is then sent to the POST request when a user hits submit. Of course, then a user could simply submit his own html in a custom POST request and this html can have javascript, tags I don't allow and invalid xhtml.
So clearly I need something on the server side to ensure only certain xhtml tags have been submitted and the xhtml is valid without any javascript. How do others handle this? Is there a good library, preferably Java for this?
Offline
This isn't really a Xinha question, anybody can post anything they want to your server, no Xinha required, you should always perform input validation if you are using Xinha or not.
Xinha does not (claim to) produce valid XHTML, browsers are not strict about it, and Xinha really doesn't bother to attempt to enforce it (too difficult, too problematic).
You should simply strip out tags, attributes and URLs you do not wish present.
For PHP, I use a modified version of the Safe HTML parser by Roman Ivanov, it strips these
* <li>opening tag without its closing tag</li>
* <li>closing tag without its opening tag</li>
* <li>any of these tags: "base", "basefont", "head", "html", "body", "applet",
* "object", "iframe", "frame", "frameset", "script", "layer", "ilayer", "embed",
* "bgsound", "link", "meta", "style", "title", "blink", "xml" etc.</li>
* <li>any of these attributes: on*, data*, dynsrc</li>
* <li>javascript:/vbscript:/about: etc. protocols</li>
* <li>expression/behavior etc. in styles</li>
* <li>any other active content</li>
I modified it mostly to permit certain embeds which are OK, youtube etc.
James Sleeman
Offline