6

Currently i'm using this method with jQuery solution, to clean string from possible XSS attacks.

sanitize:function(str) { // return htmlentities(str,'ENT_QUOTES'); return $('<div></div>').text(str).html().replace(/"/gi,'&quot;').replace(/'/gi,'&apos;'); }

But i have a feeling it's not safe enough. Do i miss something?

I have tried htmlentities from phpjs project here: http://phpjs.org/functions/htmlentities:425/

But it's kinda bugged and returns some additional special symbols. Maybe it's an old version?

For example:

htmlentities('test"','ENT_QUOTES');

Produces:

test&amp;quot;

But should be:

test&quot;

How are you handling this via javascript?

Improve this question
5
  • How do you intend to use the "sanitized" string? Commented Jul 2, 2012 at 10:52
  • Insert into html document ofc as text. As href="sanitized" or src="sanitized", or <div>sanitized</div> Commented Jul 2, 2012 at 10:57
  • From where the insert is triggered? Do you want to insert the string into an already opened page dynamically using Javascript, or into the server-generated HTML document using PHP? Commented Jul 2, 2012 at 10:59
  • Yes dynamically using javascript. String comes from untrusted source. Commented Jul 2, 2012 at 11:06
  • Use Caja's html_sanitize.js. stackoverflow.com/questions/12253686/… Commented Sep 4, 2012 at 23:47

3 Answers 3

Reset to default
3

If your string is supposed to be plain text without HTML formatting, just use .createTextNode(text)/assigning to .data property of existing text node. Whatever you put there will always be interpreted as text and needs no additional escaping.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What about ' or " and others symbols of which i maybe don't know?
I wrote "whatever" and it is "whatever" indeed. You'd be manipulating field in DOM structure that can hold only text. Those operations won't ever cause any automagical invocations of HTML parser like famous innerHTML would do (this, BTW, is still considered one of the worst design flaws of that feature).
3

Yes dynamically using javascript. String comes from untrusted source.

Then you don't need to sanitize it manually. With jQuery you can just write

​var str = '<div>abc"def"ghi</div>​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​'; ​$​('test').text(str); $('test').attr('alt', str);

Browser will separate the data from the code for you.

Example: http://jsfiddle.net/HNQvd/

Improve this answer

4 Comments

While alt is safe, you will still have problems with attributes that can be interpreted as non-text down the line. Most obviously onclick and other handlers, but also src.
Everything could be considered harmful. If the OP is going to change arbitrary attributes (with user-supplied names), then they have much bigger problem than just sanitizing the values.
People. I have a working solution in my post. I just want you people, to updated it if it have some vulnerabilities if used inside <div>HERE</div> or <a href="HERE"></a> , or <img src="HERE"/>. That's all. :)
@Beck Once again, you should not re-invent the bicycle (which may have some vulnerabilities); you should rather use a well-supported standard solution which separates the data and the code. For example, instead of trying hard to sanitize the string and then writing your sort-of-sanitized result into the innerHtml, you should rather leave the source string as-is and write it into the innerText.
1

You should quote other characters too:

' " < > ( ) ;

They all can be used for XSS attacks.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.