Security risks from user-submitted HTML

Question

I am using a contentEditable div that allows users to edit the body HTML and then post it directly to site using an AJAX request. Naturally, I have to do some security checks o

Answer 1

Javascript can be called any number of ways by using the event attributes on elements, like:

A similar question posted here recommends using HTMLPurifier instead of trying to handle this on your own.