Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there a way to disable javascript within the HTML file?

Tags:

javascript

html

I compose a large HTML file out of a huge unformatted text file. Now my fear is that the text file might contain some malicious javascript code. To avoid any damage I scan the text and replace any < or > with lt and gt. That is quite effective, but it's not really good for the performance.

Is there some tag or attribute or whatever that allows me to turn javascript off within the HTML file? In the header perhaps?

like image 495
Fotis MC Avatar asked Oct 28 '11 10:10

Fotis MC

People also ask

Can I disable JavaScript?

In the Internet Options window, click the Security tab. In the Security tab, click Custom Level button. Scroll down the list (close to the bottom) and locate Active Scripting. Select Disable, Enable, or Prompt to adjust your JavaScript settings.

Should I separate JavaScript from HTML?

You should put your JS code in a separate file because this makes it easier to test and develop. The question of how you serve the code is a different matter. Serving the HTML and the JS separately has the advantage that a client can cache the JS.

Why do people disable JavaScript in their browser?

It blocks several elements on websites that include tracking cookies, thus enhancing your privacy. Disabling JavaScript can break websites too, affecting the user experience. It eliminates the possibility of a hacker injecting malicious code into the web page you browse.

2 Answers

Since you've considered replacing all < and > by the HTML entities, a good option would consist of sending the Content-Type: text/plain header.

If you include want to show the contents of the file, replacing every & by &amp; and every < by &lt; is sufficient to correctly display the contents of the file. Example:
Input: Huge wall of text 1<a2 &>1
Output: Huge wall of text 1&lt;a2 &amp;>1
Unmodified output, displaying in browser: Huge wall of text 11 (<..> interpreted as HTML)

If you cannot modify code at the back-end (server-side), you need a HTML parser, which sanitised your code. JavaScript is not the only threat, embedded content (<object>, <iframe>, ...) can also be very malicious. Have a look at the following answer for a very detailed HTML parser & sanitizer :
Can I load an entire HTML document into a document fragment in Internet Explorer?

like image 133
Rob W Avatar answered Sep 22 '22 05:09

Rob W

When you have a control of backend, you can provide file with header

Content-type: text/plain;
like image 29
Marian Bazalik Avatar answered Sep 19 '22 05:09

Marian Bazalik
Sign in to Comment

Related questions

How can I filter a Javascript array and maintain it's indices?
How to iterate over an object in javascript with an unordered index
When is __proto__ useful?
Enabling Disabling button asp .net - using javascript
How to shield "." char? [duplicate]
The connection to the server was unsuccessful.(file:///android_asset/www/index.html)
Object doesn't Support Property or Method 'replace'
javascript runtime in rails 3.1.0 and ruby 1.9.2. cant deal with with heroku. Did everything, but still does not working
Get the file names from multiple file upload field
Using a Relative Path in Javascript to Set Google Map Icon
Jquery select div inside ul which has a span
Save record on page leave
jQuery Move div with arrow keys
When clicking on on the LI then automatically click on input radio
How to zoom a bing map to display a set of lat/long points?
Can't get jstree working - "Uncaught TypeError: Object #<Object> has no method 'delegate'"
Capture the current value of a variable
JavaScript without HTML in Eclipse
JavaScript to replace Chinese characters
JQGrid Custom Sorting

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!