0

I have a span where i have this text inside:

/><textarea>

i then try to edit the span's text by replacing whats inside it with a textarea and adding inside its text.

then, when i try to cancel the edit and remove the textarea and then return the data back to the span, this appears:

/> and the textarea near it.

which is wrong.

i am trying to avoid such things due to xss attacks.

also if i try adding inside the span this code:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

to test if xss is working... i will not get any error since i use htmlentities when i refresh the page...

so i use the click button, the textarea appears with this inside... all good here but when i cancel it so i can see the message back as it was inside the span.. the XSS alert popups...

any ideas on how to solve this?

stergosz
  • 5,754
  • 13
  • 62
  • 133
  • 1
    Refer to this question: http://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery. This will allow you to safely insert non-code from a textarea into a span (escaping HTML). Alternatively, you could use a markup language (like [Markdown](http://en.wikipedia.org/wiki/Markdown) with [Markitup](http://markitup.jaysalvat.com/home/)) to allow a user to perform safe-HTML. – hayesgm Aug 14 '11 at 07:52
  • thanks i just had to replace html() which then filled the span with the text with text(). – stergosz Aug 14 '11 at 07:54

2 Answers2

0

i just had to replace html() which then filled the span with the text with text().

stergosz
  • 5,754
  • 13
  • 62
  • 133
0

Just use text nodes. (document.createTextNode(text here) to create it and then appendChild it like any other node)

Eli Grey
  • 35,104
  • 14
  • 75
  • 93