Facebook has had to solve a similar problem. It might be worth taking your de-obfuscator(1) in hand and looking though their source. 1) e.g. http://jsbeautifier.org/ /sam On Wed, May 13, 2009 at 6:45 PM, Matt Warden <mwarden at gmail.com> wrote: > On Wed, May 13, 2009 at 12:50 PM, ivo <cervantes_vive at yahoo.com> wrote: >> I have an interesting problem I am trying to solve. I have a set of HTML pages onto which clients can add their own HTML & JS. The client HTML & JS can only be to modify the page DOM for presentation purposes. What I need to check for is if the client HTML & JS attempts to include any additional scripts or iframes. Checking the HTML document for script tags and iframes is straightforward but checking the JS fragments included on the page so that they dont dynamically build these tags or that they do ajax calls is challenging.