XSS attack in JavaScript, how to unsanitize HTML

Question

While taking the input from the form, i did sanitize the HTML code to prevent XSS attack. Eg -

<img src=X onerror=alert("XSS attack")>

The above input is converted to -

&lt;img src=X onerror=alert(&quot;XSS attack&quot;)&gt;

The same is sent to Database.

But while displaying it, i would like to preserve the original input given by user. So basically i would like to show as below in the form

<img src=X onerror=alert("XSS attack")>

I tried to un-sanitize, it showed as expected but the attack happens. That is alert pop up come up "XSS attack" - pop up.

What do you expect? It shows as expected and that's why an XSS attack is possible. — Terry, Sep 16 '21 at 07:42
I expect it to take the input given by the user and not have xss attack. I don't want it to be interpreted as html code and alert doesn't pop up — Nithin kulkarni, Sep 16 '21 at 07:45
That’s why you don’t sanitize when going into the database, but when putting into the template! — deceze, Sep 16 '21 at 07:47
If user gives input as , the user input should be preserved and there shouldn't be any alert pop up — Nithin kulkarni, Sep 16 '21 at 07:48
[The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) — deceze, Sep 16 '21 at 07:52
@Nithinkulkarni Of course. But you can either sanitize the data, store it in the database and display it then. Or you can store the data, and when you need it retrieve it, sanitize it and display it. In both cases the alert doesn't display. But in the latter you don't have the issue you are facing right now. — Ivar, Sep 16 '21 at 07:55
Your data has been sanitized to be inserted as HTML without being parsed as HTML. So you can parse this sanitized data directly as HTML and it will "display" the original data that you want. You could also get rid of the HTML sanitization altogether and never parse it as HTML (e.g by using textContent instead of innerHTML). Just don't do both. — Kaiido, Sep 16 '21 at 08:55

0 Answers0