I have a simple application that publishes simple data as statuses for FB. Unfortunately, I found that FB does not sanitize data coming from their API, or exits their API. To deal with this, in short, the answer is to sanitize the responses from their API.
In short, I would like to indicate on line 36 in the following code snippet. (As an example of a test, after you log into FB and give this application permission to send on your behalf, publish the line "<iframe src =" http://www.google.com "> </iframe>" by clicking enter. This will display on your wall in FB, but the iframe will appear on this simple page).
<!DOCTYPE html>
<html>
<head>
<title>Sanitize my FB Data</title>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"
type="text/javascript"></script>
<script src="../../lib/jquery.min.js" type="text/javascript"></script>
</head>
<body>
<input id="fbPost" type="text">
<div id="fb-root"></div>
<script>
window.fbAsyncInit = function () {
FB.init({
appId : "my_app_id",
status : true,
cookie : true,
xfbml : true,
oauth : true
});
$("#fbPost").keyup(function (event) {
if (event.keyCode == 13) {
var data = {
message: $("#fbPost").val()
};
FB.api('/me/feed', 'post', data, function (resp) {
var _index = resp.id.indexOf("_");
var postId = resp.id.substr(_index + 1);
FB.api('/' + postId, function (postData) {
$("body").prepend(postData.message);
});
});
}
});
};
(function(d){
var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;}
js = d.createElement('script'); js.id = id; js.async = true;
js.src = "//connect.facebook.net/en_US/all.js";
d.getElementsByTagName('head')[0].appendChild(js);
}(document));
</script>
<div class="fb-login-button"
scope="read_stream,publish_stream">
Login with Facebook
</div>
</body>
</html>
, , , , JavaScript. , SDK JavaScript / FB , FB , .
, Caja, , , html4. - JavaScript.
: JavaScript ?