How to escape html characters when end-to-end encryption is used?

Question

I created a web chat using socket.io, it is end-to-end encrypted chat. I am encrypting data using AES-GCM. The data is encrypted on the client side and decrypted on the other client side. And so I have a question, how to safely escape html characters? This cannot be done on the server because the server does not have a secret. The only solution is to escape the html characters before displaying the text on the client side where the secret is, but is it safe?

let decryptedData = decrypt(message, iv);
$(`<div class='message_user'>${valitadeMessage(decryptedData)}</div>`).appendTo(".messages_container");


function valitadeMessage(message){
 return message.replace(/\&/g, '&amp;')
 .replace(/\</g, '&lt;')
 .replace(/\>/g, '&gt;')
 .replace(/\"/g, '&quot;')
 .replace(/\'/g, '&#x27')
 .replace(/\`/g, '&#96;')
 .replace(/\(/g, '&#40;')
 .replace(/\)/g, '&#41;')
 .replace(/\{/g, '&#123;')
 .replace(/\}/g, '&#125;')
 .replace(/\//g, '&#x2F');
}

Is there some safer way to do this? Or is this the only way? I would be grateful if someone could tell me.

You don't need to escape anything if you assign it to `innerText` instead of `innerHTML`. — Barmar, Sep 03 '21 at 18:35
@Barmar Thanks for the answer. Yes, I thought about it too, I will. But the main question is, is it safe to escape them on the client side in this way? — Sergei Hronov, Sep 03 '21 at 18:40
As you said, you can't do it on the server, because it only sees the encrypted data. So what other choice do you have? — Barmar, Sep 03 '21 at 18:41
In jQuery you can use `$("
", {text: decryptedData}).appendTo(".messages_container");` to assign to text instead of HTML. — Barmar, Sep 03 '21 at 18:46

How to escape html characters when end-to-end encryption is used?

0 Answers0