Reputation: 91
Forbid javascript in a div
At the moment I am working on a website. Inside this website administrators shall be able to post text.
I´d like to give the user a possibility to use HTML-Code, but I do not want them to be able to post javascript code.
Is there an html-Tag (or workaround) to prohibit javascript?
Upvotes: 1
Views: 206
Answers (1)
Reputation: 17049
There's no plain html tag that blocks inline JS from running.
Between the many workarounds, the most elegant one is to disable inline script tags altogether by using CSP headers, but this may not be possible depending on your current architecture. You could also consider using some sanitization library to clean up the post content, there are simple strategies like using a regex to find <script tags.
I suggest reading https://glebbahmutov.com/blog/disable-inline-javascript-for-security/ to get a better sense of how CSP works and what are your options.
It's also worth reading https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Upvotes: 1
Related Questions
- Is there a way to disable JavaScript within the HTML file?
- Prevent user-entered scripts from running in webpage
- Don't execute javascript inside html tag
- Disable all javascript inside div
- Disable js within an html tag
- Disable javascript in a element
- How do disable JavaScript inside an div?
- Is there a way to keep JavaScript from running on my website?
- How to prevent script tags in text from executing?
- Prevent div from loading with javascript/jquery