Is window.prompt secure?

Question

I extend a JavaScript application. I do not need nice styles. I only want to allow users to enter a text. This text is not stored anywhere (it may be printed out). In my search I found window.prompt. Now I'm wondering if this is safe.

I escaped the most important characters.This is the relevant part of my code:

_fireCreatedEvent: function () {
    var input = window.prompt("", "");
    var text = this._escapeHtml(input);

    var ticon = L.divIcon({
        iconSize: null,
        html: '<div class="map-label"><div class="map-label-content">' + text + '</div><div class="map-label-arrow"></div></div>'
    });
    var textmarker = new L.Marker.Touch(this._textmarker.getLatLng(), {icon: ticon});
    L.Draw.Feature.prototype._fireCreatedEvent.call(this, textmarker);
},

...

_escapeHtml(perhapsunsafe) {
    return perhapsunsafe
        .replace(/</g, "&lt;")
        .replace(/>/g, "&gt;")
        .replace(/&/g, "&amp;")
        .replace(/"/g, "&quot;")
        .replace(/'/g, "&#039;");
}

Is this code safe enough to use on the internet?

Is it your goal to **not allow** them to provide any HTML and just text? or are you allowing them to provide **some** markup? There are better ways to prevent the former than string replacement, but the latter is a bit trickier and things like a trustworthy markdown transpiler may be your best bet. — zfrisch, Nov 05 '19 at 21:52
*Safe* is subjective, however the code you provided is the most [common way to escape HTML in JavaScript](https://stackoverflow.com/a/6234804/231316). You say you aren't storing the data, so I would take that to mean that your server is safe. You appear to be using a JS library for drawing map icons, and assuming that's all client-side, that's safe as far as the library is concerned. That leaves the user. Could they put malicious HTML into there? Probably not, but even if they did, it would be attacking themselves so that isn't really your concern, either. — Chris Haas, Nov 05 '19 at 23:03

Is window.prompt secure?

0 Answers0