Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am doing a chat room website, currently the user can input anything they like to the entry box and send it to all online users. But I am afraid it’s not safe, once there are some bad guys sending malicious html/javascript code to break all the other users?
How to avoid that happen?
What everyone said already is right; you need to encode all of that data before sending it to the users.
I just wanted to add, though: be sure you do this encoding on the server, with a built-in (and therefore, well-tested) method provided by the web framework you are using.
Do not try to do this in JavaScript on the client; there are further malicious codes that users could enter which would break that JavaScript itself.
And, do not try to ‘roll your own’ encoding mechanism, nor try to use a black list approach, where you try to locate only certain “bad” things someone could enter, and replace them. You’ll never guess what all the ‘bad things’ are.
You don’t mention your web framework, but most have a built-in functionality that HTML Encodes an entire string so that the string will be displayed literally in the browser, no matter what content is in it.