Is this a good string sanitizer?

Question

Possible Duplicate:
HtmlSpecialChars equivalent in Javascript?

I couldn't find a good string sanitization function to be safely used inside HTML. I was wondering if this is a good approach:

String.prototype.sanitize = function() {
  return $('<div></div>').text(this).html();
}

Making a method of `String.prototype` aware of something like `jQuery` is a bad kind of coupling. — Ja͢ck, Jan 31 '13 at 02:58

score 4 · Accepted Answer · answered Jan 31 '13 at 02:42

4

For sanitizing against XSS, yes. For sanitizing against SQL injections, no.

answered Jan 31 '13 at 02:42

Josh Austin

740
3
14

1

thanks! As my requirement is for front-end protection, this would suffice. – PH. Jan 31 '13 at 02:47

score 1 · Answer 2 · edited May 23 '17 at 12:26

1

It's better (and still easy) to remove the jquery requirement:

String.prototype.htmlspecialchars = function() {
  var span = document.createElement('span'),
  txt = document.createTextNode(this);

  span.appendChild(txt);

  return span.innerHTML;
}

The coupling with document still isn't so bad, because that's where it's going to be used anyway, but I prefer using successive String.replace() like in this answer.

edited May 23 '17 at 12:26

Community

1
1

answered Jan 31 '13 at 03:01

Ja͢ck

170,779
38
263
309

thats a nice refactoring. thanks Jack. – PH. Jan 31 '13 at 10:10

Is this a good string sanitizer?

2 Answers2