I have a javascript feature that allows users to place arbitrary text strings on a page. I don’t want them to be able to insert html or other code, just plain text.
So I figure that stripping out all angle brackets(< >) would do the trick. (I don’t care if they have ‘broken’ html on the page, or that they’re not able to put angle brackets in their text) Then I realized I had to filter escaped angle brackets (< >) and probably others.
What all do I need to filter out, for security? Will removing all angle brackets do the trick?
Make sure that the first thing you do is replace
&with&a) For HTML content, just
<should be enough.b) For attribute values, for example if it is going in
<input name="sendtoserver" value="custom text"/>you need to take care of double-quotes, but that is all that is necessary. Still it is good to also do<and>.It depends on the context. If you want to play it safe, tell your JavaScript to use
innerTextwhich does not need encoding, but you may want to set the css towhite-space:pre-wrap. This is less error prone, but also less browser-compatible.c) On a loosely related note, when escaping JavaScript strings terminators using backslashes, The item that might sneak up on you is if you place content in a script, you need to take care of
</script>(not case sensitive) You can just escape</or/should be enough