Prevent XSS attacks with string replace method in JavaScript

Asked Dec 22 '20 at 16:46

Active Dec 22 '20 at 16:58

Viewed 1,488 times

I am writing an application where the user can add messages, they are saved in the firebase, and displayed on the page. I am using the following method to protect html injection:

function testHtml(str){
   return str.replace(/</g, '&lt;').replace(/>/g, '&gt;');
}

And I output the text as follows:

$("#save").click(function(){
      let text = $("#text").val(); //user input 
          text = testHtml(text);
      $("#resultDiv").append(text);
});

I want to know if this method is safe? Are there any workarounds? If so, which ones? I use this filtering method when displaying messages. Many thanks for considering my request.

edited Dec 22 '20 at 16:58

doo_doo_fart_man

asked Dec 22 '20 at 16:46

Sergei Hronov

4

All you have to do is the use the `.text()` method rather than `.append()` to place the content into the DOM. Using that method will not allow any rendered content or JavaScript to execute. You don't need to parse the string that way either. – Randy Casburn Dec 22 '20 at 16:48
Check this post out https://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery – doo_doo_fart_man Dec 22 '20 at 16:53
@RandyCasburn, thanks for the answer! But I insert not only text, but also html, that is, I add html to the mix with the text, and I want to know if it is safe to use this method? – Sergei Hronov Dec 22 '20 at 16:55
Do you only want to use javascript? – doo_doo_fart_man Dec 22 '20 at 16:59
@Clvckl3s, yes, I just want to understand if this approach can be bypassed? Is he dangerous? It suits me exactly, but I do not know if it is safe. – Sergei Hronov Dec 22 '20 at 17:58
I would personally do it via server side. – doo_doo_fart_man Dec 22 '20 at 18:35

Prevent XSS attacks with string replace method in JavaScript

0 Answers0