Parsing HTML (preventing image prefetch)

[msasha]

Hi all.

I'm trying to parse some HTML received from an untrusted remote source.
What I've been trying so far is something along the lines of:

var htmlString =
"<script language=\"text/javascript\">alert(\"Hello\");</script>" +
"<img src=\"http://www.jinchess.com/chessboard/?pos=Ra6\">";
var div = $doc.createElement('div');
div.innerHTML = htmlString;

and then traverse elem's children via the DOM. Fortunately, any scripts
in the HTML are not run. Unfortunately, both Firefox and IE insist on
loading any images referenced in the HTML although I'm not adding elem
into anything. This is not acceptable because I don't want to be
webbugged.

Note that I don't have a server-side component to delegate this
procedure to...

Please help.


Thanks,
Alexander (aka Sasha) Maryanovsky.

 

[Fred]

Hi all.

I'm trying to parse some HTML received from an untrusted remote source.
What I've been trying so far is something along the lines of:

var htmlString =
"<script language=\"text/javascript\">alert(\"Hello\");</script>" +
"<img src=\"http://www.jinchess.com/chessboard/?pos=Ra6\">";
var div = $doc.createElement('div');
div.innerHTML = htmlString;

and then traverse elem's children via the DOM. Fortunately, any scripts
in the HTML are not run. Unfortunately, both Firefox and IE insist on
loading any images referenced in the HTML although I'm not adding elem
into anything. This is not acceptable because I don't want to be
webbugged.

Use a regular expression to strip out any image tags first. If you
want to keep the image elements, consider either stripping the src
attribute or replacing it with your own. If you want to get really
fancy, you could use match to create an array of the src attributes and
deal with them individually before using the string.