Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Preventing HTML and Script injections in Javascript

Tags:

javascript

html

javascript-injection

html-injections

Assume I have a page with an input box. The user types something into the input box and hits a button. The button triggers a function that picks up the value typed into the text box and outputs it onto the page beneath the text box for whatever reason.

Now this has been disturbingly difficult to find a definitive answer on or I wouldn't be asking but how would you go about outputting this string: 

<script>alert("hello")</script> <h1> Hello World </h1>

So that neither the script is executed nor the HTML element is displayed?

What I'm really asking here is if there is a standard method of avoiding both HTML and Script injection in Javascript. Everyone seems to have a different way of doing it (I'm using jQuery so I know I can simply output the string to the text element rather than the html element for instance, that's not the point though).

like image 756
lorless Avatar asked Dec 31 '13 10:12

lorless

People also ask

How can you prevent script injection that was pasted to input?

You can paste anything you like into an input field, and submit it to a server. Pasting <script>alert("hi");</script> into an input is fine, and that text will be used as the value of the input field when the form data is submitted to the server.

What is JavaScript injections?

A JavaScript injection attack is a type of attack in which a threat actor injects malicious code directly into the client-side JavasScript. This allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.

How can we prevent HTML injection in Java?

General advices to prevent InjectionApply Input Validation (using "allow list" approach) combined with Output Sanitizing+Escaping on user input/output. If you need to interact with system, try to use API features provided by your technology stack (Java / . Net / PHP...) instead of building command.

What is a HTML injection?

What is HTML Injection. HTML Injection also known as Cross Site Scripting. It is a security vulnerability that allows an attacker to inject HTML code into web pages that are viewed by other users.

1 Answers

You can encode the < and > to their HTML equivelant.

html = html.replace(/</g, "&lt;").replace(/>/g, "&gt;");

How to display HTML tags as plain text

like image 106
TastySpaceApple Avatar answered Sep 29 '22 11:09

TastySpaceApple
Sign in to Comment

Related questions

React Hooks - What's happening under the hood?
How to properly use componentWillUnmount() in ReactJs
Click a button programmatically - JS
Detect if user is using webview for android/iOS or a regular browser
How to get pseudo element?
ThreeJS: Remove object from scene
Does node.js have equivalent to window object in browser
How can I read the client's machine/computer name from the browser?
What does javascript function return in the absence of a return statement?
What's the significant use of unary plus and minus operators?
Equivalent of Python's dir in Javascript
Do let statements create properties on the global object?
Support for the experimental syntax 'jsx' isn't currently enabled
What Is A Text Node, Its Uses? //document.createTextNode()
Does CoffeeScript allow JavaScript-style == equality semantics?
Creating a javascript widget for other sites
Template literals with nested backticks(`) in ES6
Angular2 too many file requests on load
How to set File objects and length property at FileList object where the files are also reflected at FormData object?
What's the difference in using toString() compared to JSON.stringify()?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!