1

So "<h1>Hello World</h1>" will just return 'Hello World'.

I've tried: 

$('<div>').html('<h1>Hello World</h1>').text()

And that works fine in most cases, but it does open up an xss vulnerability for when the string is something like this: <img src=1 onerror=alert(/XSS/)>, when I expect it to return an empty string

Jason M
  • 1,013
  • 13
  • 25
  • "but it doesn't open up an xss vulnerability" Do you mean "*does* open up"? – Anonymous May 26 '15 at 21:58
  • 1
    well, that depends on where this string is coming from... – Marc B May 26 '15 at 22:00
  • Yes I mean it "does" open up an xss vulnerability – Jason M May 26 '15 at 22:14
  • 2
    `var d=document.createElement("template");d.innerHTML='01'; alert(d.content.textContent);` – dandavis May 26 '15 at 22:56
  • @dandavis, fantastic! using a template element will work. I'm not sure you added the numbers there, but they are not needed. Thanks! – Jason M May 26 '15 at 23:15
  • @JasonM: the numbers show that text makes it through; an empty string alone could be coincidence... – dandavis May 26 '15 at 23:18
  • @dandavis, this doesn't seem to working browsers that don't support the template tag. Any suggestions on this? Thanks! – Jason M May 29 '15 at 00:49
  • @JasonM: `alert(new DOMParser().parseFromString('01'.bold(),"text/html").documentElement.textContent);` (whew, i was about to say no, then i recalled that dom parser started doing non-strict html...) picks up IE10+ – dandavis May 29 '15 at 06:17
  • @dandavis, your wealth of knowledge impresses me :) any chance for a solution in ie 9? – Jason M May 29 '15 at 13:41

1 Answers1

2

You can try this code found here- Fastest method to escape HTML tags as HTML entities?

function sanitize(str) {
  return str.replace(/&/g,'').replace(/</g,'').replace(/>/g,'');
}

In your example, assuming there's html that looks like this:

<div><img src=1 onerror=alert(/XSS/)></div>

simply sanitize it like so:

var string = $('div').text();
var sanitized = sanitize(string); // "img src=1 onerror=alert(/XSS/);"
Community
  • 1
  • 1
Noam
  • 587
  • 5
  • 11
  • Thanks for your answer. In the case of:
    , I'd expect it to return an empty string because there isn't any text involved.     – Jason M May 26 '15 at 22:44