Reintroduce the raw html feature securized

[paradoxxxzero]

Use a good script stripping method to clean the inserted html to avoid mailicious script injection.

http://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression
and https://github.com/LiftoffSoftware/htmltag/blob/master/htmltag.py#L186

could be a start.

[paradoxxxzero]

Following to a discussion with GateOne developer, this should be reintroduced as a DCS control rather than dirty OSC99 hack.
The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

[paultag]

Ftr my example svg had no script tags
On Mar 7, 2014 4:20 AM, "Mounier Florian" notifications@github.com wrote:

Following to a discussion with GateOne developer, this should be
reintroduced as a DCS control rather than dirty OSC99 hack.
The escape format will be:

\x90;TYPE|CONTENT\x9c

Where TYPE here will be HTML and content the raw html to be stripped.

Reply to this email directly or view it on GitHubhttps://github.com//issues/22#issuecomment-36979996
.

[paradoxxxzero]

Yes, all on* attributes must be removed too.
I was wondering, maybe using an embed tag with a data url should be enough to prevent any exploit ?