Recentemente ho trovato Caja che sembra un modo efficace per prevenire l'XSS. Dal loro sito :
The Caja Compiler is a tool for making third party HTML, CSS and JavaScript safe to embed in your website. It enables rich interaction between the embedding page and the embedded applications. Caja uses an object-capability security model to allow for a wide range of flexible security policies, so that your website can effectively control what embedded third party code can do with user data.
e anche :
Caja turns a piece of Web content -- roughly, a snippet of HTML, CSS and JavaScript that you would see within the body tag of an HTML page -- into a Caja module. This module is represented as a single JavaScript module function that can be run within a Caja container.
Questo significa che l'uso di Caja I potrebbe dare a un utente la possibilità di inserire HTML / CSS senza doversi preoccupare dei possibili attacchi XSS?