Javascript sanitization: the safest way to insert a possible XSS html string

Question

Javascript sanitization: the safest way to insert a possible XSS html string

I am currently using this method with a jQuery solution to clear a line of possible XSS attacks.

sanitize:function(str) {
    // return htmlentities(str,'ENT_QUOTES');
    return $('<div></div>').text(str).html().replace(/"/gi,'&quot;').replace(/'/gi,'&apos;');   
}

But I have a feeling that it’s not safe enough. Did I miss something?

I tried htmlentities from phpjs project here: http://phpjs.org/functions/htmlentities:425/

But it seems to be listening and returns some additional special characters. Maybe this is an old version?

For instance:

htmlentities('test"','ENT_QUOTES');

It produces:

test&amp;quot;

But it should be:

test&quot;

How do you handle this through javascript?

+5

javascript xss html-sanitizing

Somebody Jul 2 '12 at 10:48

source share

3 answers

Oleg V. Volkov · Answer 1 · 2012-07-02T11:07:55+0000

HTML, .createTextNode(text)/ .data node. , , .

penartur · Answer 2 · 2012-07-02T11:14:08+0000

javascript. .

. jQuery

var str = '<div>abc"def"ghi</div>';

$('test').text(str);
$('test').attr('alt', str);

.

: http://jsfiddle.net/HNQvd/

some_coder · Answer 3 · 2012-07-02T11:11:54+0000

: ' " < > ( ) ; XSS attacsk.

Javascript sanitization: the safest way to insert a possible XSS html string

More articles: