How do i prevent html/javascript code from running on a textbox

Question

I have a chat application wirtten in javascript, when a user enters an html code like

 <button>click</button>

a button appears on chat. I use this code

 if(message.indexOf('<button') != -1)
            {   
              message = message.replace(message, '&#45;'); 
            }

but this just replaces the < button

with a blank space, I want it to be displayed as text and not an actual button.

Thanks

That you have a chat application implies you've got serverside processing going on. Don't bother trying to amend the code at the upload stage (it's trivial to bypass and to run arbitrary javascript on a receivers machine). Clean the datastream on the server before re-broadcasting it. — symcbean
– symcbean, Commented Jul 16, 2012 at 15:01

Niet the Dark Absol · Accepted Answer · 2012-07-16 14:47:54Z

7

I just use this:

message = message.replace(/</g,"&lt;");

That's all that's needed to prevent HTML from being inserted.

answered Jul 16, 2012 at 14:47

326k86 gold badges480 silver badges604 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Konstantin Dinev · Accepted Answer · 2012-07-16 14:53:05Z

1

Your general encode procedure here would be:

value = value.toString().replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/'/g, "&#39;").replace(/"/g, "&#34;");

answered Jul 16, 2012 at 14:53

Konstantin Dinev

35k14 gold badges79 silver badges103 bronze badges

Chain anything else you would like to encode, e.g. ampersand.

ViROscar · Accepted Answer · 2012-07-16 14:51:02Z

0

what html element did you use for print the chat? try use textarea or pre tag.

try to control those errors in the back end because everybody can deactivate javascript.

answered Jul 16, 2012 at 14:51

ViROscar

1481 silver badge12 bronze badges