How to fix XSS vulnerabilities on javascript?

Question

1) I get response with html tags, for instance: This is <b>Test</b>

2) sometimes response may containt script (or iframe, canvas and etc.) tags (XSS), for instance: This <script>alert("Hello from XSS")</script> is <b>Test</b>

3) how can remove all of XSS tags (script, iframe, canvas...) except of other html tags?

PS: I can't use escape because it's remove <b>, <strong> and other tags.

Answer 1

Below function could be used to encode input data to fix XSS vulnerabilities on javascript

/*Using jQuery : the script to escape HTML/JS characters*/
function htmlEncode(value) {
     if (value) {
         return $('<div/>').text(value).html();
     } else {
         return '';
     }
 }

Answer 2

how can remove all of XSS tags (script, iframe, canvas...) except of other html tags?

All tags can harbour XSS risks. For example <b onmouseover="...">, <a href="javascript:..."> or <strong style="padding: expression(...)">.

To render HTML ‘safe’ you need to filter it to only allow a minimal set of known-safe elements and attributes. All URL attributes need further checking for known-good protocols. This is known as ‘whitelisting’.

It's not a simple task, as you will typically have to parse the HTML properly to detect which elements and attributes are present. A simple regex will not be enough to pick up the range of potentially-troublesome content, especially in JavaScript which has a relatively limited regex engine (no lookbehind, unreliable lookahead, etc).

There are tools for server-side languages that will do this for you, for example PHP's HTML Purifier. I would recommend using one of those at the server-side before returning the content, as I'm currently unaware of a good library of this kind for JavaScript.

Answer 3

You don't need to remove the tags, just do the translations. For example, turn < to <, > to > etc..

If you are using php, some function are for this:

htmlspecialchars

htmlentities