-3

I'm creating a table to display DB records. Someone stored:

<script>alert('hello');</script>

in the database. So when it constructs the table it closes out the script too early.

I did a temp fix by replacing with nothing server side but that would be...a pain in the rear to say the least. How do I make JavaScript treat a string as a string, and ignore closing tags?

data[i] = new Array("INCIDENT NUMBER",
                                "ARREST",
                                "<script>alert('hello')</script>",
                                "DSO",
                                "USER",
                                "11-020906",
                                "10-100",
                                "02/09/2011",
                                "",
                                "",
                                "",
                                "",
                                "");

Using JSP server side.

So I've boiled this down to server side resolution. There is no way to make the browser ignore the tag in a string.

ChrisF
  • 134,786
  • 31
  • 255
  • 325
GaidenFocus
  • 353
  • 4
  • 12
  • 3
    You need to look into HTML Encoding and other XSS vulnerabilities – BLSully Jul 29 '15 at 21:26
  • Tried this http://stackoverflow.com/questions/1219860/html-encoding-in-javascript-jquery Didin't solve the issue. – GaidenFocus Jul 29 '15 at 21:27
  • 1
    nothing in your code shows how you're putting that data back on the page, but I'm guessing you're using `innerHTML`, or a jQuery `html()`. Don't do that. Use textContent or jQuery's `text()`, which sets the content of elements to data you pass in *as text*, so things like `<` become `<` etc. That said, *never trust user input*: sanitize it, throw it away when it's dangerous, etc. and read up on XSS – Mike 'Pomax' Kamermans Jul 29 '15 at 21:27
  • this is the section it closes the script section before it finishes building the array. The server side code slaps this in for every record it finds. It then goes to a function that turns the 2d array into a table. – GaidenFocus Jul 29 '15 at 21:29
  • This depends on your server side technologies. You should google for sanitizing user input and server output like `htmlspecialchars` in PHP. – ivkremer Jul 29 '15 at 21:29
  • I'm using JSP (Beans) in which i can "sanitize" that one field but it would require 10,000+ lines of code to clean all of them. Just wondering if anyone knows how to get the browser to treat a string as a string. – GaidenFocus Jul 29 '15 at 21:33
  • Then you better get started sanitizing. XSS vulnerabilities are serious. – mason Feb 02 '16 at 22:18

4 Answers4

0

That is called a Cross Site Scripting (XSS) attack, in which a user attempts to inject executable code into your website. There are many ways to handle this issue, so it may be best that you do some research on your own. One way to handle this, is on the client-side before the information is injected to use jQuery's .text() method.

ChadF
  • 1,750
  • 10
  • 22
0

You need to change < to &lt; and > to &gt, or just replace '</script>' with ''.

I would point out that your site seems like it may be vunerable to injection attacks; It would be wise to sanitise data going in to and coming out of your database to ensure they don't pass code - replacing < and > with &lt; and &gt; is a start, but it will probably require more effort than this simple hack to get what you want.

You're not mentioning what language you're using to actually retrieve the data - let us know and I'll see if I can help you further.

SteJ
  • 1,491
  • 11
  • 13
0

Validate and sanitize user input!

What you can do in this case, is detect any special characters and convert them to HTML symbols (http://www.w3schools.com/html/html_symbols.asp). So you should add one more step before storing anything in your database.

  1. Extract the user input, send it to your server.
  2. Have server perform some validation and sanitization. In this case, convert the "<" and ">" characters to HTML symbols.
  3. Store the newly sanitized text in your database.

Of course there are many, many additional cases to consider which is why it might be better to look for some open-source solutions than rolling out your own.

Toby Liu
  • 1,267
  • 9
  • 14
0

Use this function:

function sanitizeText(text) {
    var sval=text.replace(/&/g, '&amp;');
    sval = sval.replace(/</g, "&lt;");
    sval = sval.replace(/>/g, "&gt;");
    return sval;
}

like this:

data[i] = new Array("INCIDENT NUMBER",
                                "ARREST",
                                sanitizeText("<script>alert('hello')</script>"),
                                "DSO",
                                "USER",
                                "11-020906",
                                "10-100",
                                "02/09/2011",
                                "",
                                "",
                                "",
                                "",
                                "");

Or wherever you are showing and receiving value from user.

Aishwarya Shiva
  • 3,460
  • 15
  • 58
  • 107