What is the simplest check possible for an HTML/JS injection attack?

Question

My Javascript code aims to take some untrusted string variable and render it in the DOM. It would be inserted at a known point within well-formed HTML. And it would be inserted if, and only if, the string could not possibly contain HTML elements. Script execution is the primary worry, but any type of injection that could be parlayed into an exploit is of concern.

If the string seems unsafe, I can simply not render it in the DOM. There is no requirement to sanitize or do anything with a string found to be potentially unsafe. In fact, I'd like to avoid libraries and prefer a dead simple check that needs no maintenance. I've also seen the solution of adding a text node to the DOM, but I'll just say that won't work for what I'm doing.

I think the test might be as simple as "does the string contain <":

function isItSafe(text) { return text.indexOf('<') === -1; }

But maybe that's naive. Especially, when some exploits rely on how a certain browser behaves in response to invalid HTML. Can an injection exploit be created without using "<"? If so, what do you think the minimal check would need to be?

Answer 1

The short answer is : always use regex on the user's inputs. I don't think there's a way to do XSS attacks without angle brackets.

There are probably libraries out there that use more sophisticated regex but here's a good one to begin with :

This will add a method to String's prototype:

String.prototype.applyXSSprotection = function(){
  return this.replace(/</g, "&lt;").replace(/>/g, "&gt;");
};

Anytime you would integrate the user's input into the DOM, you should use :

/*let's suppose the user input is stored in the variable user_input as a string*/
user_input = user_input.applyXSSprotection();
/*now use it*/