2

I want to display html provided by a user in a page. My page is almost entirely dynamic (JS code), and I was wondering if there's an easy way to sanitize it?

Like, maybe I could remove all the <script> and <iframe> tags and unbind all the events contained in the string (or remove any html attribute starting by 'on') in order to not have any javascript code from the string possibly executed?

Can the users possibly insert javascript with a css 'content' property in a style attribute?

The jquery $(...).text(...) function doesn't help me, since I want to preserve any html mark-up or css styling.

If there's no easy solution i'm ready to live with a whitelist of html tags (table span div img a b u i strong...), but i'd rather not have to white-list the attributes too.

Improve this question
3
  • I searched and either the answer was $.text() or else it was a sanitizing library like DeXss or JSoup in java but not javascript... But this is a problem so common that a library must exist in javascript for it, though I couldn't find it. As for me trying... how would I know I could prevent all XSS attack or not with my code? :) Commented Dec 15, 2012 at 18:17
  • IMO, if you need to store user input on server (to be displayed later, possibly to other users), leave the task to the server. If you don't, there's not much sense in doing it in JS, since the user can easily circumvent it. Commented Dec 15, 2012 at 18:23
  • 1
    The href attribute of "a" tags can be used to inject JavaScript. Commented Dec 15, 2012 at 18:30

1 Answer 1

Reset to default
4

The more foolproof way to show user content safely is to embed it in an iframe who's origin is a different domain than your host web page. This is what jsFiddle does. The main page is served from jsfiddle.net, but the user scripts are served from fiddle.jshell.net. This lets the user content do what it would normally do, but the browser's cross-origin protection keeps the user content from messing with the host page or domain or cookies, etc....

Trying to strip all possible places that scripts could be in the content is a risky proposition which you will probably forever be chasing new attack vectors. I'd personally much rather let the browser be in that business and put the user content on a different domain. Plus, allowing the user content to have it's normal JS will also let it work as desired.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks. Indeed letting the browser be in charge of that seems like the best idea, I just didn't know it was possible!
Just to be clear here, you will need to set up a second domain that you serve the user content from into the iframe.
Yea, like iframe.src="http://other.domain?content="+base64encode(userText). I got it!
Or, if you intend to store it server-side, send it to your server, get an ID for it from the server upon return and do `iframe.src="other.domain?id=295958".

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.