Checking if Javascript string is HTML code

Question

I have a textbox and submit button which posts the content and a reply to the HTML page. Is there any way (other than checking if the string's substring at the beginning is

    <h1>,<h2>,<h3>...,<script>,<style>,etc.

to see if a string will be formatted differently when it is posted on the page, in order to prevent code injection?

Thanks

-Zach

You shouldnt be doing this check in the browser but on the server where you can ensure the client doens't hack the submit — megawac, Nov 09 '13 at 01:38
Maybe this answer will help you: http://stackoverflow.com/a/942032/772020 — rdonatoiop, Nov 09 '13 at 01:39
maybe add the string to a detached node and check if its.innerText == its.innerHTML — technosaurus, Nov 09 '13 at 02:22

score 1 · Accepted Answer · answered Nov 09 '13 at 01:50

When you display user data, you should correctly encode it as html. In javascript, use document.createTextNode(userData) and append that node instead of using innerHTML. In PHP, use htmlentities.

If the user is allowed to use any html or formatting, you should do them with a strict whitelist of allowed tags and attributes, and encode everything else as plain text.

So, even if the user did enter <h1>stuff</h1>, when that's properly encoded, it will come out as <h1>test</h1> instead of html, which won't be vulnerable to javascript injection.

Checking if Javascript string is HTML code

1 Answers1