Open Letter to Gareth Heyes: Regex HTML Sanitisation Doesn’t Work
Dear Gareth Heyes,
I thank you for your response that claims Regex HTML Sanitisation can work.
As such, HTMLReg and your article title falls outside the context of my original article. I do, however, applaud the concept of using the browser DOM. While I cannot comment on the efficacy of client side filtering for cross-site scripting (XSS), the use of a DOM is a reliable strategy to bypass parsing problems. A similar approach accounts for the success of HTMLPurifier. Obviously, I do not begrudge some minimal use of regular expressions on pre-parsed normalised input.