Sanitize all scripts from html string

Question

The HTML5 clipboard is awesome, but I am looking for a way to make it safe.

The user is pasting text/html into my webpage. This allows them to paste images, tables, etc.

I am looking for a way to remove all scripts from the pasted content, before I add it to the page.

I need to remove <script> elements, as well as other ways of executing scripts like

<img src="x" onerror="alert('Hacked!')">

(and any others)

I do not want to remove style elements, or any other sorts of elements. (They are actually pasting into an iframe, so styles won't affect anything else.)

Check if it's a string -> use a regular expression to find the — MJB, Feb 03 '15 at 14:44
@MJB, http://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression — Paul Draper, Feb 03 '15 at 14:45
@PaulDraper which isn't a problem, **unless** you're uploading what they've pasted for other users to see. In which case, [filter it out server-side using a whitelist of approved tags and attributes.](http://stackoverflow.com/questions/1210042/html-purifier-what-to-purify) — Blazemonger, Feb 03 '15 at 14:48
@Blazemonger, a user should just have to *know* whether or not they've copied HTML that includes a — Paul Draper, Feb 03 '15 at 14:50
Exactly -- you don't need to protect your users from themselves, you just need to protect them from each other. — Blazemonger, Feb 03 '15 at 14:52

score 3 · Answer 1 · answered Feb 04 '15 at 11:54

You could use a sanitizer like Google Caja to remove malicious JavaScript - you could even use it to strip all JavaScript content if desired.

However, I question your goals. Is your aim to prevent self-XSS? Unless you output the HTML somewhere, there is no danger to the user. If you output the HTML to the same user and there are other methods of entering the content other than paste, then you should make sure you protect the page against CSRF. This would stop an attacker inserting their own malicious JavaScript under the authorisation of the current user.

If you output the HTML to other users, you may wish to sanitize the content server side. If HTML content isn't allowed at all then you should HTML encode when output so a <script> tag will display as <script> in the browser rather than being interpreted as a code block by the browser.

If you need to output HTML, but without scripts you should sanitize it server side and you should also implement a Content Security Policy. With the correct policy you can prevent inline scripts from running at all in modern browsers. The CSP will prevent any future bugs found in your chosen sanitizer from posing a threat to the user. Supported browsers are detailed here.

You mention that you want to support styles - note that CSS stylesheets can also contain code. This is an Internet Explorer supported concept (and old versions of FireFox). However, your CSP should prevent this if you disallow inline styles.

score 0 · Answer 2 · answered Feb 03 '15 at 15:24

If the user is uploading it for other's to view, you should use a PHP setup with a white list of approved tags, and prevent them from uploading JavaScript, otherwise they could edit it anyway and the script becomes useless. If they aren't uploading for others to see, you needn't do anything because they are only going to harm themselves.

Sanitize all scripts from html string

2 Answers2

Linked