My Javascript code aims to take some untrusted string variable and render it in the DOM. It would be inserted at a known point within well-formed HTML. And it would be inserted if, and only if, the string could not possibly contain HTML elements. Script execution is the primary worry, but any type of injection that could be parlayed into an exploit is of concern.
If the string seems unsafe, I can simply not render it in the DOM. There is no requirement to sanitize or do anything with a string found to be potentially unsafe. In fact, I'd like to avoid libraries and prefer a dead simple check that needs no maintenance. I've also seen the solution of adding a text node to the DOM, but I'll just say that won't work for what I'm doing.
I think the test might be as simple as "does the string contain <":
function isItSafe(text) { return text.indexOf('<') === -1; }
But maybe that's naive. Especially, when some exploits rely on how a certain browser behaves in response to invalid HTML. Can an injection exploit be created without using "<"? If so, what do you think the minimal check would need to be?
My Javascript code aims to take some untrusted string variable and render it in the DOM. It would be inserted at a known point within well-formed HTML. And it would be inserted if, and only if, the string could not possibly contain HTML elements. Script execution is the primary worry, but any type of injection that could be parlayed into an exploit is of concern.
If the string seems unsafe, I can simply not render it in the DOM. There is no requirement to sanitize or do anything with a string found to be potentially unsafe. In fact, I'd like to avoid libraries and prefer a dead simple check that needs no maintenance. I've also seen the solution of adding a text node to the DOM, but I'll just say that won't work for what I'm doing.
I think the test might be as simple as "does the string contain <":
function isItSafe(text) { return text.indexOf('<') === -1; }
But maybe that's naive. Especially, when some exploits rely on how a certain browser behaves in response to invalid HTML. Can an injection exploit be created without using "<"? If so, what do you think the minimal check would need to be?
Share Improve this question asked Jul 19, 2017 at 23:56 Erik HermansenErik Hermansen 2,3793 gold badges23 silver badges49 bronze badges 2- 1 Use a regex! I think this answer stackoverflow./a/20855840/6826071 is what you need. – DrunkDevKek Commented Jul 20, 2017 at 0:03
- I need some way to know that an approach is safe or not. I tried to frame my question to explore what is specifically needed to be certain of safety. – Erik Hermansen Commented Jul 20, 2017 at 0:08
1 Answer
Reset to default 6The short answer is : always use regex on the user's inputs. I don't think there's a way to do XSS attacks without angle brackets.
There are probably libraries out there that use more sophisticated regex but here's a good one to begin with :
This will add a method to String's prototype:
String.prototype.applyXSSprotection = function(){
return this.replace(/</g, "<").replace(/>/g, ">");
};
Anytime you would integrate the user's input into the DOM, you should use :
/*let's suppose the user input is stored in the variable user_input as a string*/
user_input = user_input.applyXSSprotection();
/*now use it*/