Currently i'm using this method with jQuery solution, to clean string from possible XSS attacks.
sanitize:function(str) {
// return htmlentities(str,'ENT_QUOTES');
return $('<div></div>').text(str).html().replace(/"/gi,'"').replace(/'/gi,''');
}
But i have a feeling it's not safe enough. Do i miss something?
I have tried htmlentities from phpjs project here: http://phpjs.org/functions/htmlentities:425/
But it's kinda bugged and returns some additional special symbols. Maybe it's an old version?
For example:
htmlentities('test"','ENT_QUOTES');
Produces:
test&quot;
But should be:
test"
How are you handling this via javascript?
Encoding is probably the most important line of XSS defense, but it is not sufficient to prevent XSS vulnerabilities in every context. You should also validate input as strictly as possible at the point when it is first received from a user.
xss-sanitize allows you to accept html from untrusted sources by first filtering it through a white list. The white list filtering is fairly comprehensive, including support for css in style attributes, but there are limitations enumerated below.
The HTML Sanitizer API allow developers to take untrusted strings of HTML and Document or DocumentFragment objects, and sanitize them for safe insertion into a document's DOM.
The sanitize() method of the Sanitizer interface is used to sanitize a tree of DOM nodes, removing any unwanted elements or attributes. It should be used when the data to be sanitized is already available as DOM nodes. For example when sanitizing a Document instance in a frame.
If your string is supposed to be plain text without HTML formatting, just use .createTextNode(text)
/assigning to .data
property of existing text node. Whatever you put there will always be interpreted as text and needs no additional escaping.
Yes dynamically using javascript. String comes from untrusted source.
Then you don't need to sanitize it manually. With jQuery you can just write
var str = '<div>abc"def"ghi</div>';
$('test').text(str);
$('test').attr('alt', str);
Browser will separate the data from the code for you.
Example: http://jsfiddle.net/HNQvd/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With