js - jquery : prevent input from code injection

Question

Context

I'm creating a tiny jQuery script : By clicking on a word, user can erase it and rewrite what he wants.

Original world is in a . When clicked, the is replaced by an . no

, no submit button, only this .

My problem

When pressing enter key to validate the , the rest of my code works well, except for javascript injection :

My question

What is the best method to prevent my from executing this evil script when pressing enter key?

Please forgive my ingenuous question, and thank you for your advice.

My wrong code

jQuery(document).ready(function($) {

    initNom();

    function initNom() {
        var nomPerso = $('#nomPerso');
        var cheminNom = localStorage.getItem('userName');

        montrerNom();

        nomPerso.on('click', function() {
            $(this).replaceWith(
                    $('')
            );
            $("#nomPerso")
                    .focus()
                    .on('keypress', function (e) {
                        if(e.which === 13) {

                            e.preventDefault();
                            //Disable textbox to prevent multiple submit
                            $(this).attr("disabled", "disabled");

                            sauverNom();
                            montrerNom();

                            $(this).replaceWith($('' + localStorage.getItem('userName') + ''));

                            $(this).removeAttr("disabled");

                            initNom();

                        }
                    });
        });

        function sauverNom() {
            var nom = $('#nomPerso').val();

            if (typeof(Storage) !== "undefined" && nom) {
                localStorage.setItem('userName', nom);
            }
        }

        function montrerNom() {
            if (!cheminNom) {
                nomPerso.text('{Inserer_nom}');
            } else {
                nomPerso.text(cheminNom);
            }
        }
    }
});

Also on CodePen: https://codepen.io/LaBriqueHurlante/pen/mwxjRL

Alon Eitan · Accepted Answer

Just replace the content with .text() instead of .html() so it will escape all the html tags and display them as HTML entities.

The first example will convert the script tags to html entities, so it will be added to the DOM as

<script>alert('Evil Script')</script>

GOOD / SAFE Example:

$(function() {
  $('span').on('click', function() {
    $(this).text( $('#replace').val() ); // GOOD
    
    //$(this).html( $('#replace').val() ); // BAD
  });
});


Click on a word:


  Hello World

BAD / DANGEROUS example

$(function() {
  $('span').on('click', function() {
    // $(this).text( $('#replace').val() ); // GOOD
    
    $(this).html( $('#replace').val() ); // BAD
  });
});


Click on a word:


  Hello World

Now, with your code that you added on your last edit, change:

$(this).replaceWith(
    $('')
);

With:

$(this).replaceWith(
    $('').attr('placeholder', nomPerso.text())
);

And also change:

$(this).replaceWith($('' + localStorage.getItem('userName') + ''));

With:

$(this).replaceWith(
    $('').text( localStorage.getItem('userName') )
);

Those changes will ensure that you're adding elements, and setting their properties with escaped html entities, instead of dumping them unsafely to the DOM: https://codepen.io/anon/pen/JJLBLy

Please note that the first time you run the fiddle it will display the alert because it is embedded in the HTML code itself, but when you change the text to it will be displayed as actual text.

js - jquery : prevent input from code injection

Context

My problem

My question

My wrong code

Answers (1)

Related Questions