0

There is an HTML input textbox that has id paramater of exampleId. When something is submitted in this textbox and then submitted a javascript/ajax call is made and the correct results are returned. Cross-site scripting is needed on this textbox so I added into the javascript:

testVal=htmlEncode($('#exampleId').val());
$('#exampleId').val(testVal);

That works. Its prevents any cross-site scripting attacked. But the problem I am now having is if someone enters the following example: hello? It updates the value in the textbox to hello&#63 which I do not want.

Is there a better way to prevent cross-site scripting or is there a way I can also decode the value in the textbox so it would still display hello? while still keeping the above xss prevention?

cloned
  • 6,346
  • 4
  • 26
  • 38
FRL
  • 11
  • 3
  • What is `htmlEncode`? Please provide a [mcve]. – jabaa Jan 25 '22 at 14:36
  • What do you mean by textbox, if you mean textarea, there is no XSS attack to prevent. It's only if the Ajax call say returned some HTML, and you blatantly set some innerHTML with it. – Keith Jan 25 '22 at 14:39
  • What I can see is that this is not a XSS issue but you are struggling with converted special charaters (& == &) and for that I suggest you look into this [Html Decode Entities](https://stackoverflow.com/questions/5796718/html-entity-decode) – Relcode Jan 25 '22 at 14:41

0 Answers0