Is using jquery parseHTML to remove script tags enough to prevent XSS attacks?
问题 We are using a WYSWIG Editor(Froala Editor) and storing raw HTML that is created by the user. Thus, escaping the string is not an option. I am intending to store the HTML string in a variable or a data-attribute enclosed within quotes. Then, read that HTML string and remove script tags using jquery's parseHTML as well as keep only certain attributes before loading the HTML into the editor. Is this approach enough to prevent all XSS attacks? 回答1: It is not. A few counter-examples: <a href=