javascripthtmljavascript-injectionhtml-injections

Preventing HTML and Script injections in Javascript


Assume I have a page with an input box. The user types something into the input box and hits a button. The button triggers a function that picks up the value typed into the text box and outputs it onto the page beneath the text box for whatever reason.

Now this has been disturbingly difficult to find a definitive answer on or I wouldn't be asking but how would you go about outputting this string:

<script>alert("hello")</script> <h1> Hello World </h1>

So that neither the script is executed nor the HTML element is displayed?

What I'm really asking here is if there is a standard method of avoiding both HTML and Script injection in Javascript. Everyone seems to have a different way of doing it (I'm using jQuery so I know I can simply output the string to the text element rather than the html element for instance, that's not the point though).


Solution

  • You can encode the < and > to their HTML equivelant.

    html = html.replace(/</g, "&lt;").replace(/>/g, "&gt;");
    

    How to display HTML tags as plain text