Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to disable javascript within the HTML file?

I compose a large HTML file out of a huge unformatted text file. Now my fear is that the text file might contain some malicious javascript code. To avoid any damage I scan the text and replace any < or > with lt and gt. That is quite effective, but it's not really good for the performance.

Is there some tag or attribute or whatever that allows me to turn javascript off within the HTML file? In the header perhaps?

like image 495
Fotis MC Avatar asked Oct 28 '11 10:10

Fotis MC


People also ask

Can I disable JavaScript?

In the Internet Options window, click the Security tab. In the Security tab, click Custom Level button. Scroll down the list (close to the bottom) and locate Active Scripting. Select Disable, Enable, or Prompt to adjust your JavaScript settings.

Should I separate JavaScript from HTML?

You should put your JS code in a separate file because this makes it easier to test and develop. The question of how you serve the code is a different matter. Serving the HTML and the JS separately has the advantage that a client can cache the JS.

Why do people disable JavaScript in their browser?

It blocks several elements on websites that include tracking cookies, thus enhancing your privacy. Disabling JavaScript can break websites too, affecting the user experience. It eliminates the possibility of a hacker injecting malicious code into the web page you browse.


2 Answers

Since you've considered replacing all < and > by the HTML entities, a good option would consist of sending the Content-Type: text/plain header.

If you include want to show the contents of the file, replacing every & by &amp; and every < by &lt; is sufficient to correctly display the contents of the file. Example:
Input: Huge wall of text 1<a2 &>1
Output: Huge wall of text 1&lt;a2 &amp;>1
Unmodified output, displaying in browser: Huge wall of text 11 (<..> interpreted as HTML)

If you cannot modify code at the back-end (server-side), you need a HTML parser, which sanitised your code. JavaScript is not the only threat, embedded content (<object>, <iframe>, ...) can also be very malicious. Have a look at the following answer for a very detailed HTML parser & sanitizer :
Can I load an entire HTML document into a document fragment in Internet Explorer?

like image 133
Rob W Avatar answered Sep 22 '22 05:09

Rob W


When you have a control of backend, you can provide file with header

Content-type: text/plain;
like image 29
Marian Bazalik Avatar answered Sep 19 '22 05:09

Marian Bazalik