I can't get replace to work in my javascript

Question

I'm trying to fetch the hash in my url so that I can use the information to set classes on different elements on my page. To do this is quite simple but I'm worried that I might be vulnerable to XSS by doing this and I want to sanitize the set variable before it can be used. The problem is that I can't get it to work.

So for example, I want to set a variable called "hash" to "gallery" from the url: www.my-domain.com/#gallery.

But I want to make sure that things like this www.my-domain.com/#Hello<script>malicious payload</script> won't work.

The problem is that the console reports the following: Hello%3Cscript%3Enasty%20payload%3C/script%3E

I Expected to get just Hello. So, obviously I'm doing something wrong but I just can't figure it out.

This is my code:

<script type="text/javascript">
        jQuery(document).ready(function(){
            var hash = document.URL.substr(document.URL.indexOf('#')+1);

            hash = hash.replace(/<script[^>]*?>.*?<\/script>/gi, '').
                     replace(/<[\/\!]*?[^<>]*?>/gi, '').
                     replace(/<style[^>]*?>.*?<\/style>/gi, '').
                     replace(/<![\s\S]*?--[ \t\n\r]*>/gi, '');
            console.log(hash); //Check the result in the console
                if (hash === 'gallery' || hash === 'galleria' || hash === 'galleri') {
                    jQuery('#prod_description').removeClass('uk-active');
                    jQuery('#prod_gallery').addClass('uk-active');
                } else 
                    if (hash === 'relations') {
                    jQuery('#prod_description').removeClass('uk-active');
                    jQuery('#prod_relation').addClass('uk-active');
                } else 
                    if (hash === 'other') {
                    jQuery('#prod_description').removeClass('uk-active');
                    jQuery('#prod_other').addClass('uk-active');
                } else 
                    if (hash === 'promotion') {
                    jQuery('#prod_description').removeClass('uk-active');
                    jQuery('#prod_promotion').addClass('uk-active');                        
                }
            }
        );
    </script>

I have tried things like this: .replace('l', '') and that works as expected, the first instance of 'l' in the hash is removed from the result. Which lead me to think that my regex was wrong so I tried a much simpler approach like this: .replace(/[^0-9a-z]/gi, '') but that doesn't work either.

Any thoughts on what it is I am doing wrong?

Answer 1

You can do a simple indexOf, just be sure not to eval the data; and if it gets sent server-side be sure the guys properly handle it.

You should not be doing any replacing like this as there are endless possibilities.

Ex:

var h = decodeURIComponent(window.location.hash.substr(1));
if (h.indexOf('promotion') > -1) {
    // do some logic
}

Answer 2

but I'm worried that I might be vulnerable to XSS by doing this

You’re not - because you are not outputting the hash value in an HTML context anywhere.

All you are doing here, is comparing it to several different text literals. If even your hash variable contained something like foo<script>malicious()</script> - comparing foo<script>malicious()</script> to gallery is absolutely harmless, it is just a comparison, that will simply result in false in this case. Merely comparing strings does not execute any code.

As long as you are not inserting the value into the page somewhere, there is no XSS risk here. You can completely remove the lines where you tried to replace stuff.

Answer 3

Well it is encoded so you need to decode it

var hash = decodeURIComponent(window.location.hash.substr(1));

Unless you put that hash directly on the page, that script tag in the hash is not going to do anything, the only thing that would happen in your string comparison is not going to do match.