0

I'm testing my chat application and I typed in <b>test</b> and message is coming out as bold.

I have noticed you can't do this in Facebook's chat for example.

What is the best way to handle users attempting to perform this html-injection?

EDIT: I am using node.js for my server side, plain js and html, css. Please note that I do not want to REMOVE the html text that the user has typed. I just want it to not be rendered. For example, in Facebooks chat, if you type <b>test</b> - the tags and the text will appear but it won't be bold.

Ogen
  • 6,499
  • 7
  • 58
  • 124
  • 1
    Which language are you using for server-side? Can you explain how your chat application works to make it easier to explain how you can remove html tags. Also if you allow html tags my guess is your clients can also inject other languages such as javascript and maybe server-side depending on how secure your application is. I also recommend cleaning data server-side as client side can be changed as it runs in the clients browser. – NewToJS Jan 05 '16 at 11:53
  • Possible duplicate of [Preventing HTML and Script injections in Javascript](http://stackoverflow.com/questions/20855482/preventing-html-and-script-injections-in-javascript) – Akhil Balakrishnan Jan 05 '16 at 11:54
  • Escape the HTML tags: http://stackoverflow.com/questions/5499078/fastest-method-to-escape-html-tags-as-html-entities – Pieter Herroelen Jan 05 '16 at 12:02
  • In short, replace `<` and `>` with HTML entities - `<` and `>`, respectively. – ROAL Jan 05 '16 at 12:06
  • @PieterHerroelen I pressed F12 in google chrome and looked through the html code for Facebook and I don't think that's what they're doing. I wonder how they do it. – Ogen Jan 05 '16 at 12:06
  • 1
    @Ogen Are you sure? I think Chrome Dev Tools just displays `<` as `<`. Try 'edit as HTML', then you see the real characters – Pieter Herroelen Jan 05 '16 at 12:27

1 Answers1

0

The process of cleaning user input is called sanitizing. There are many possible methods to handle it, most front end and back end frameworks have some tools/methods to provide it. If you are using pure vanilla Javascript, you could use something like this: Sanitize HTML on the client side

Please remember also that only client-side sanitizing isn't a good idea, because of possible ajax injections of badly formatted code. You should implement both client-side and server-side sanitizers in order to prevent all possible intrusions.

For NodeJS I would recommend using this: Sanitizer or using validator package (it has sanitization abilities): Validator

Community
  • 1
  • 1
SzybkiSasza
  • 1,591
  • 12
  • 27