JavaScript escaping untrusted data to prevent XSS

Question

I need to escape untrusted user input in order to insert the data in the HTML element content context, e.g. inside a <td> element.

OWAPS recommends escaping certain characters:

 & --> &amp;
 < --> &lt;
 > --> &gt;
 " --> &quot;
 ' --> &#x27;     
 / --> &#x2F;

I've been looking at dozens of different recommendations and neither seems to perfectly fit my case:

Escaping server-side is not a convenient option as the data is sent as a big JSON object where some of the properties can be binary data. Also, the server API could be used to insert the data in different HTML contexts - HTML attribute, GET parameter, etc. where different escaping mechanisms might be required.
Javascript Escape (deprecated), encodeURI and encodeURIComponent are intended for URIs
node.textContent = untrustedDataString; would work but is not convenient as I am building a complex HTML before adding to the DOM and need it to be parsed as HTML after the untrusted data has been escaped: myDiv.innerHTML = htmlString
If I write a function to escape certain characters that works well, but I would think that a common problem like that would have a more standard solution - like a JavaScript function. Inventing your own security mechanisms is not considered best practice.

:

function escapeXml(unsafe) {
    return unsafe.replace(/[<>&'"]/g, function (c) {
        switch (c) {
            case '<': return '&lt;';
            case '>': return '&gt;';
            case '&': return '&amp;';
            case '\'': return '&apos;';
            case '"': return '&quot;';
        }
    });
}

Am I missing the standard and widely accepted method that everybody else knows about?

This is not an answer. But can get some idea https://www.web2generators.com/html-based-tools/online-html-entities-encoder-and-decoder — Nilanka Manoj, Mar 14 '20 at 15:04

JavaScript escaping untrusted data to prevent XSS

0 Answers0