0

I am building a web application in which a user can enter their own product names into a database, but if they add in a ` ' or " it breaks my application, I am pretty sure it is breaking right here:

$cart.innerHTML = items.map((item) => `
    <a href="#" onClick="cartLS.remove(${item.id}); gaRemoveFromCart('${item.name}');" title="Remove This Item" class="btn-remove"><i class="fas fa-times"></i></a>
    </div>
    </li>
`).join("");

How can I properly escape if there is any ' in the item name?

flaxel
  • 4,173
  • 4
  • 17
  • 30
jack
  • 1
  • 1
    I think what you are doing is an open door to script injection. You are allowing users to write anything they want in your database. Of yourse you must secure this by encoding the characters and everything. Not only client-side for display, of course, but above all server-side. – Jeremy Thille Oct 30 '20 at 07:58
  • 1
    Otherwise, the tags `` and `` are too much, because you do not open them. – flaxel Oct 30 '20 at 07:58

0 Answers0