admin管理员组文章数量:1431398
I have a javascript feature that allows users to place arbitrary text strings on a page. I don't want them to be able to insert html or other code, just plain text.
So I figure that stripping out all angle brackets(< >) would do the trick. (I don't care if they have 'broken' html on the page, or that they're not able to put angle brackets in their text) Then I realized I had to filter escaped angle brackets (< >) and probably others.
What all do I need to filter out, for security? Will removing all angle brackets do the trick?
I have a javascript feature that allows users to place arbitrary text strings on a page. I don't want them to be able to insert html or other code, just plain text.
So I figure that stripping out all angle brackets(< >) would do the trick. (I don't care if they have 'broken' html on the page, or that they're not able to put angle brackets in their text) Then I realized I had to filter escaped angle brackets (< >) and probably others.
What all do I need to filter out, for security? Will removing all angle brackets do the trick?
Share Improve this question edited Oct 19, 2011 at 20:40 700 Software 88k88 gold badges242 silver badges347 bronze badges asked Oct 18, 2011 at 14:16 user151841user151841 18.1k32 gold badges118 silver badges178 bronze badges 5- 2 I don't see why you need to filter out escaped angle-brackets. They'll simply appear as angle brackets when presented on a web page, without actually behaving like HTML. – Marcelo Cantos Commented Oct 18, 2011 at 14:20
- Marcelo will you put that as an answer? Then I can accept it :) – user151841 Commented Oct 18, 2011 at 14:22
- It depends on how he does it. He should test to be sure whether your statement applies to his situation or not. – 700 Software Commented Oct 18, 2011 at 14:23
- George - are there any browsers that will parse escaped angle brackets as actual html? – user151841 Commented Oct 18, 2011 at 14:25
- No, not when escaped. I might have misunderstood Marcelo's ment. It just doesn't seem right. – 700 Software Commented Oct 18, 2011 at 14:31
2 Answers
Reset to default 3Will removing all angle brackets do the trick?
Just replace all angle brackets with their escaped form. That way, people can write as much "code" as they like, and it just shows up as plain-text instead.
Make sure that the first thing you do is replace & with &
a) For HTML content, just < should be enough.
b) For attribute values, for example if it is going in <input name="sendtoserver" value="custom text"/> you need to take care of double-quotes, but that is all that is necessary. Still it is good to also do < and >.
It depends on the context. If you want to play it safe, tell your JavaScript to use innerText which does not need encoding, but you may want to set the css to white-space:pre-wrap. This is less error prone, but also less browser-patible.
c) On a loosely related note, when escaping JavaScript strings terminators using backslashes, The item that might sneak up on you is if you place content in a script, you need to take care of </script> (not case sensitive) You can just escape </ or / should be enough
本文标签: htmlfiltering escaped angle brackets in javascriptStack Overflow
版权声明:本文标题:html - filtering escaped angle brackets in javascript - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745570538a2664019.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论