JavaScript is the scripting language found in HTML documents that has a history of security problems. The first step in protecting against these security problems is to remove all the JavaScript script tags and their contents from the HTML. This can be easily done in a filter by looking for HTML tags in the HTML Token object stream named SCRIPT. When found, all tokens up-to and including the end tag /SCRIPT are simply removed from the object stream. JavaScript code can also be included in HTML tag attributes so all tags must be scanned and any code found must be removed. Similarly, Java is included in HTML documents using the APPLET tag. To remove Java, a filter needs to remove all the APPLET tags and their contents. Figure 5.1 shows a part of Java ContentFilter that will remove all APPLET tags and their contents up-to and including the /APPLET end tag.
