Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
1) I get response with html tags, for instance: This is <b>Test</b>
2) sometimes response may containt script (or iframe, canvas and etc.) tags (XSS), for instance: This <script>alert("Hello from XSS")</script> is <b>Test</b>
3) how can remove all of XSS tags (script, iframe, canvas…) except of other html tags?
PS: I can’t use escape because it’s remove <b>, <strong> and other tags.
All tags can harbour XSS risks. For example
<b onmouseover="...">,<a href="javascript:...">or<strong style="padding: expression(...)">.To render HTML ‘safe’ you need to filter it to only allow a minimal set of known-safe elements and attributes. All URL attributes need further checking for known-good protocols. This is known as ‘whitelisting’.
It’s not a simple task, as you will typically have to parse the HTML properly to detect which elements and attributes are present. A simple regex will not be enough to pick up the range of potentially-troublesome content, especially in JavaScript which has a relatively limited regex engine (no lookbehind, unreliable lookahead, etc).
There are tools for server-side languages that will do this for you, for example PHP’s HTML Purifier. I would recommend using one of those at the server-side before returning the content, as I’m currently unaware of a good library of this kind for JavaScript.