0

I'm expected to get different types of values from users to build a custom JS, for some simple input I can validate them, but I have some input that I can't validate for example I want to let the user enter an HTML template that encapsulates some output.

In another case I want the user to enter a custom easing-function. My question is sanitizing HTML template string and putting it directly into JS safe?

Nahid Islam
  • 193
  • 1
  • 5
  • 15
Diya'
  • 78
  • 6
  • 1
    Are we talking JS (client-side) or something like node here? If it's purely client-side, unless you've got some really weird GET var stuff going on, the only person the user will be able to hurt is themselves, surely? – CD001 Oct 16 '19 at 12:34
  • Purely client-side, i'm converting a jquery plugin to wordpress plugin, users are going to enter some html template which will be saved in database then used by jquery plugin. – Diya' Oct 16 '19 at 12:50
  • @deaalmhamed If you want to make HTML safe, don't allow `script` tags and you would probably do `htmlentities()` on the backend. Also, I assume this is just for markup, so you would also disallow inline javascript, like `onclick`,`onkeypress` etc. All in all, server side validation is more important than client side validation. Reason is someone could turn off javascript on their browser. – nice_dev Oct 16 '19 at 13:01
  • 1
    Possible duplicate of [How to prevent XSS with HTML/PHP?](https://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php) – Patrick Q Oct 16 '19 at 13:05
  • @vivek_23 Thank you, but is it safe to only blacklist script tag and some dangerous elements/attributes? – Diya' Oct 16 '19 at 13:15
  • @deaalmhamed Not really, this isn't a full proof solution. You would find this article useful on details of XSS attacks possible. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet – nice_dev Oct 16 '19 at 13:19

0 Answers0