I have a javascript feature that allows users to place arbitrary text strings on a page. I don't want them to be able to insert html or other code, just plain text.
So I figure that stripping out all angle brackets(< >) would do the trick. (I don't care if they have 'broken' html on the page, or that they're not able to put angle brackets in their text) Then I realized I had to filter escaped angle brackets (< >) and probably others.
What all do I need to filter out, for security? Will removing all angle brackets do the trick?
I have a javascript feature that allows users to place arbitrary text strings on a page. I don't want them to be able to insert html or other code, just plain text.
So I figure that stripping out all angle brackets(< >) would do the trick. (I don't care if they have 'broken' html on the page, or that they're not able to put angle brackets in their text) Then I realized I had to filter escaped angle brackets (< >) and probably others.
What all do I need to filter out, for security? Will removing all angle brackets do the trick?
Share Improve this question edited Oct 19, 2011 at 20:40 700 Software 88k88 gold badges242 silver badges347 bronze badges asked Oct 18, 2011 at 14:16 user151841user151841 18.1k32 gold badges118 silver badges178 bronze badges 5- 2 I don't see why you need to filter out escaped angle-brackets. They'll simply appear as angle brackets when presented on a web page, without actually behaving like HTML. – Marcelo Cantos Commented Oct 18, 2011 at 14:20
- Marcelo will you put that as an answer? Then I can accept it :) – user151841 Commented Oct 18, 2011 at 14:22
- It depends on how he does it. He should test to be sure whether your statement applies to his situation or not. – 700 Software Commented Oct 18, 2011 at 14:23
- George - are there any browsers that will parse escaped angle brackets as actual html? – user151841 Commented Oct 18, 2011 at 14:25
- No, not when escaped. I might have misunderstood Marcelo's ment. It just doesn't seem right. – 700 Software Commented Oct 18, 2011 at 14:31
2 Answers
Reset to default 3Will removing all angle brackets do the trick?
Just replace all angle brackets with their escaped form. That way, people can write as much "code" as they like, and it just shows up as plain-text instead.
Make sure that the first thing you do is replace & with &
a) For HTML content, just < should be enough.
b) For attribute values, for example if it is going in <input name="sendtoserver" value="custom text"/> you need to take care of double-quotes, but that is all that is necessary. Still it is good to also do < and >.
It depends on the context. If you want to play it safe, tell your JavaScript to use innerText which does not need encoding, but you may want to set the css to white-space:pre-wrap. This is less error prone, but also less browser-patible.
c) On a loosely related note, when escaping JavaScript strings terminators using backslashes, The item that might sneak up on you is if you place content in a script, you need to take care of </script> (not case sensitive) You can just escape </ or / should be enough