Preventing HTML and Script injections in Javascript

Question

Assume I have a page with an input box  The user types something into the input box and hits a button  The button triggers a function that picks up the value typed into the text box and outputs it onto the page beneath the text box for whatever reason   Now this has been disturbingly difficult to find a definitive answer on or I wouldn t be asking but how would you go about outputting this string     lt script gt alert  hello   lt  script gt   lt h1 gt  Hello World  lt  h1 gt    So that neither the script is executed nor the HTML element is displayed    What I m really asking here is if there is a standard method of avoiding both HTML and Script injection in Javascript  Everyone seems to have a different way of doing it  I m using jQuery so I know I can simply output the string to the text element rather than the html element for instance  that s  not the point though

User · Answer

From here  var string   lt script gt     lt  script gt    string encodeURIComponent string       3Cscript 3E    3C script 3

User · Answer

myDiv textContent   arbitraryHtmlString    as  Dan pointed out  do not use innerHTML  even in nodes you don t append to the document because deffered callbacks and scripts are always executed  You can check this https   gomakethings com preventing-cross-site-scripting-attacks-when-using-innerhtml-in-vanilla-javascript  for more info

User · Answer

A one-liner   var encodedMsg       lt div   gt    text message  html      See it work   https   jsfiddle net TimothyKanski wnt8o12j

User · Answer

I use this function htmlentities  string      msg     lt script gt alert  hello   lt  script gt   lt h1 gt  Hello World  lt  h1 gt    msg   htmlentities  msg   echo  msg

User · Answer

Try this method to convert a  string that could potentially contain html code  to  text format     msg     lt div gt  lt  div gt     safe msg   htmlspecialchars  msg  ENT QUOTES   echo  safe msg    Hope this helps

User · Answer

Use this    function restrict elem     var tf     elem     var rx   new RegExp    if elem     email           rx          gi     else if elem     search     elem     comment        rx      a-z 0-9     gi     else        rx       a-z0-9  gi        tf value   tf value replace rx             On the backend  for java   Try using StringUtils class or a custom script    public static String HTMLEncode String aTagFragment            final StringBuffer result   new StringBuffer            final StringCharacterIterator iterator   new                 StringCharacterIterator aTagFragment           char character   iterator current            while  character    StringCharacterIterator DONE                         if  character      lt                    result append   amp lt                 else if  character      gt                    result append   amp gt                 else if  character                          result append   amp quot                 else if  character                          result append   amp  039                 else if  character                          result append   amp  092                 else if  character      amp                    result append   amp amp                 else                 the char is not a special one               add it to the result as is                 result append character                             character   iterator next                      return result toString

User · Answer

You can encode the  lt  and  gt  to their HTML equivelant   html   html replace   lt  g    amp lt    replace   gt  g    amp gt       How to display HTML tags as plain text

[javascript] Preventing HTML and Script injections in Javascript

Examples related to javascript

Examples related to html

Examples related to javascript-injection

Examples related to html-injections