In jquery autocomplete i am using htmlspecialchars() at the json encoding for title string.When i remove that htmlspecialchars there is an XSS vulnerability.But htmlspecialchars is not escaping the "&" and '(Single Quote) in the title string.For that i've added decodeHTMLEntities by referring the following url.Now there is no XSS vulnerability and there is no escaped data aslo.But when i am giving image tag as input, it directly displaying image,instead of that i need to display the image tag code.Can anyone please help me on this.Here i am sending you my code
How to decode HTML entities using jQuery?
<?php
$test = htmlspecialchars( '<img src="https://google.com" ></img>',ENT_HTML401,'utf-8');
?>
<html>
<head>
<script src="https://code.jquery.com/jquery-3.1.1.min.js"></script>
</head>
<body>
<div id="asd"></div>
<script type='text/javascript'>
var decodeEntities = (function() {
// this prevents any overhead from creating the object each time
var element = document.createElement('textarea');
function decodeHTMLEntities (str) {
if(str && typeof str === 'string') {
// strip script/html tags
str = str.replace(/<img[^>]*>([\S\s]*?)<\/img>/gmi, '');
str = str.replace(/<script[^>]*>([\S\s]*?)<\/script>/gmi, '');
str = str.replace(/<\/?\w(?:[^"'>]|"[^"]*"|'[^']*')*>/gmi, '');
element.innerHTML = str;
str = element.textContent;
element.textContent = '';
}
return str;
}
return decodeHTMLEntities;
})();
document.getElementById('asd').innerHTML = decodeEntities('<?php echo $asd;
?>');
</script>
</body>
</html>
