JJ Binks
Reputation: 21
Is HTML encoding angle brackets, &, newline, and quotes enough to prevent XSS?
I am creating a website, and I have a section where the user can provide input via a form. The input is sanitized using this:
str.replace(/[\x26\x0A<>'"]/g,function(r){return"&#"+r.charCodeAt(0)+";"})
After that, the data is placed between <p> tags. So something like this:
<p id="foo">Random message</p>
Is my replacement function good enough to prevent an XSS attack?
Upvotes: 1
Views: 1229
Answers (1)
GKFX
Reputation: 1400
This is basically a duplicate of Can I escape html special chars in javascript?. Yes your code is probably safe, it does the same as what the accepted answer there does.
Upvotes: 1
Related Questions
- Is it really insecure to build HTML strings in Javascript?
- Is it enough to avoid xss?
- Will HTML Encoding prevent all kinds of XSS attacks?
- Does HTML encoding prevent XSS security exploits?
- Does removing the javascript characters(' " \ &) from input script prevents XSS?
- Is this vulnerable to dom-based xss?
- Is escaping < and > sufficient to block XSS attacks?
- Escaping < Good Enough to Prevent XSS Attacks
- Is replacing : < and > with &lt; and &gt; enough to prevent XSS injection?
- Is it necessary to "escape" character "<" and ">" for javascript string?