[jdev] Re: XHTML-IM XEP implementation

Bernhard Zwischenbrugger bz at datenkueche.com
Fri Jan 5 07:15:13 CST 2007


I'm looking for a xss filter, but couldn't find a xslt based
filter for xhtml.

I make browser based jabber clients and the problem with
xhtml (svg) is, that it is very difficult to get rid of javascript.

If a "cracker" is able to execute javascript in my client, he is able
to take over the account - that's not good.

Here I tried to make a filter:

If somebody has a better filter please tell me. Otherwise feel free to
test and improve it.


> Indeed. And on top of that, client implementations that support
> XHTML-IM, are strongly urged to sanitize incoming messages instead of
> blindly feeding it to an embedded HTML renderer. This is how malware
> gets its chance.
> This also goes for a possible XHTML document enclosure XEP, or any other
> non-local data for that matter.

More information about the JDev mailing list