Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is it technically possible to completely strip out javascript but still retain full html + css compatibility? I had the impression that somebody always finds a way to outsmart any filter using UTF arcanes or some other method.


     Content-Security-Policy: sandbox allow-same-origin allow-top-navigation allow-forms;
That gives you HTML + CSS - JS for the whole page.


Hmm. I can't say for absolute sure, but if the root document is HTML and there are no <script> tags (or <iframe>s, I guess), I don't see how you'd get JavaScript to execute. I think those are strictly the only entry-points JS can have, and it's not like HTML or CSS could mutate the document to create one after the fact.

EDIT: I brainfarted and totally forgot about inline event handlers. Go easy on the downvotes please.


  <div onclick="alert(0)">whoops</div>
If you want to dive down the rabbit hole, here's a good place to start: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_She...


Ah right, duh. Still, I feel like there would be an enumerable set of properties that can execute JS.


There is an enumerable set of HTML and CSS properties, so yeah.

That document is scary! There are 70 different ways to encode an opening angle bracket, what is just a tiny side note...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: