Maxence Henneron
Reputation: 495
Smiley parser and xss injection protection
I'd like to make a simple chat, and, at the beginning, just parse ':)' and add an image before appending the message. Here's what I tried :
var string = "The message the user wrote";
var message = $('<div class=\"chat-message\"></div>').text(string);
message.html(message.text().replace(':)', '<img src="smile.png"/>')).appendTo('#chat-messages');
Okey, it's works, but let's imagine someone sends this :
<img src="Some illicite picture"/>
Well, it would just display the picture, and I don't want the users to inject HTML code in the page.
So, how can I do ?
Upvotes: 3
Views: 234
Answers (1)
Hoff
Reputation: 243
You should escape the HTML chars at Serverside, because Javascript could be bypassed.
In PHP this is done by the htmlspecialchars function, so:
$newText = htmlspecialchars($oldtext);
Upvotes: 2
Related Questions
- Preventing HTML and Script injections in Javascript
- Inserting smiley into the HTML
- Prevent XSS in jQuery html()
- jQuery safe injection of html
- jquery xss prevention when using html()
- XSS safe html decode for Javascript
- Protect JQuery code against XSS
- Why is my smiley parsing code calling native javascript functions?
- Sanitize codes injection using jQuery
- Special HTML characters injected with JS