garuda
Reputation: 67
Preventing XSS in innerHTML attribute
I have this following code
nver+="<SPAN CLASS=focusField>"+text.substring(start,end)+"</SPAN>";
if(text.length>end)
nver+=text.substring(end,text.length);
results.innerHTML=nver.replace(/[\n]/g,"<BR>");
so the text variable is tampered with
textarea:ABCD"> < img/src='x'onerror=alert('XSS')>
First text.substring(start,end) has output 'textarea'
and text.substring(end,text.length) has the remaining :ABCD">< img/src='x'onerror=alert('XSS')>
How to counter this XSS? Is there some way I can use createtextnode or some functionality to counter this? If so how do I do it using createtextnode?
Upvotes: 2
Views: 2302
Answers (1)
SilverlightFox
Reputation: 33538
You will need to HTML encode your output
function htmlEscape(str) {
return String(str)
.replace(/&/g, '&')
.replace(/"/g, '"')
.replace(/'/g, ''')
.replace(/</g, '<')
.replace(/>/g, '>');
}
nver+=text.substring(end,text.length);
// HTML encode (i.e. escape the nver variable for correct output)
nver = htmlEscape(nver);
results.innerHTML=nver.replace(/[\n]/g,"<BR>");
Check out the DOM based XSS Prevention Cheat Sheet for more tips.
Upvotes: 2
Related Questions
- Prevent script injection with innerHTML
- How to use innerHTML safely?
- XSS prevention and .innerHTML
- Using innerHTML, and what are security concerns?
- .innerHTML & XSS Prevention
- Sanitize innerHTML in javascript
- How to ignore HTML tags in innerHTML attribute?
- DOM based XSS protection in JS app
- DoM XSS in jquery
- Preventing DOM XSS