0

How to escape textbox contents of form using javascript(not jsp page) to avoid xss.It must be redered properly on page while submitting form.

Ram
  • 15
  • 1
  • 4
  • 1
    Please note that there is no XSS risk as long as the data is stored fully client side. Once you send the data to server and the server stores it and redisplays it to **another** enduser, then there's means of a XSS risk. For that `fn:escapeXml()` in JSP can just be used since it's the server which redisplays it. See also the answer on your previous question http://stackoverflow.com/questions/6957832/how-to-add-el-code-or-jstl-code-through-javascript (where I also already gave a link to another question how to solve it with JS...) – BalusC Aug 05 '11 at 15:06
  • There is *some* risk with a fully client side solution. Even if the client doesn't pull data out of the URI, the user might innocently type (or copy/paste (hello Facebook spam)) something dangerous. – Quentin Aug 05 '11 at 15:21
  • 1
    I've merged your unregistered account with your registered account. You can now leave comments under answers that are provided, edit your questions and (ultimately) accept the answers that helped you the most. Thanks for using Stack Overflow! :) – Tim Post Aug 05 '11 at 18:12

2 Answers2

2

Insert the text into the document using document.appendChild, document.createTextNode and friends instead of a property (such as innerHTML) that accepts raw HTML.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • If textbox is already present there and i want to esacpe contents on onsubmit.pls – Ram Aug 05 '11 at 15:17
  • If you want to escape it for transmission to the server for the *server* to display on a page (and not for displaying on the current page before it is transmitted) then you **must** protect against XSS on the server. You cannot ask the client to stop the client from sending you bad data because you cannot control (and therefore trust) the client. – Quentin Aug 05 '11 at 15:19
1

"Insert the text into the document using document.appendChild, document.createTextNode and friends instead of a property (such as innerHTML) that accepts raw HTML."

as Quentin says, or, using an existing textbox, use the value property:

textObject.value="value"
Plap
  • 1,046
  • 1
  • 8
  • 14