5

Is there any way for me to disable all sort of JavaScript inside a particular div?
I initially thought the <noscript> tag was meant for that, but it turns out I was wrong.

Here is what I am looking for:

<some-sort-of-tag-here>
    <script>
        alert('test');
    </script>
</some-sort-of-tag-here>

Would get rendered as: 

<script>
    alert('test');
</script>

Rather than executing the script. This would prevent any form of XSS and other external JavaScript (that has been included in the head) would be able to modify the given tag.

I may be completely wrong here and such a tag may not exist at all, but please help me out here. I feel such a tag would be the simplest solution to XSS. There's no need to worry about any script executing inside the tag, (which means all user content can be wrapped in that tag), while all website-included javascript would be able to modify the content of the page as required.

How would I proceed with creating a tag inside which all content is treated as pure HTML only and not execute any form of JavaScript inside it?

Improve this question
2
  • You can sanity check user content in JS. As far as I'm aware there is no specific tag to prevent it. That's entirely up to you. It could be that you're using a framework which is already actively protecting against user content. General rule of thumb is that users are all dodgy hacking scumbags, and you should validate everything. Depending on what you're using, there is likely already a module for it. Commented Mar 3, 2018 at 20:54
  • @LokiSinclair Yes you're right. I am currently cleaning my user inputs. However, if I had such a tag, I wouldn't have to worry about code being injected from somewhere else (like a referrer or something). Makes life a lot easier. :P If only the HTML spec had such a feature :P Commented Mar 3, 2018 at 21:00

2 Answers 2

Reset to default
2

I'm afraid a tag like that doesn't exist, you'll have to html-encode the contents yourself.

So that this:

<script>
    alert('test');
</script>

Becomes this:

&lt;script&gt;
    alert('test');
&lt;/script&gt;

Also note that if there was a safe tag, like this:

<safe>
    <script>
        alert('test');
    </script>
</safe>

Anyone could circumvent it by making their content:

</safe>
<script>
    alert('test');
</script>
<safe>
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Yes, I agree. People could walk around the safe tag. I was originally thinking of replacing all occurrences of the </safe> tag with an empty string to prevent escaping it, but then that's the same as replacing the <script> tag isn't it? Oh well. We're back to square one
Most server-side languages have a way of HTML-encoding content. Javascript however does not, but there are plenty of example of custom solutions on stack overflow.
1

Interesting concept. Do you want this to be able to display the code without running it? If so, the xmp tag could be one way.

<xmp>
<script>
    alert('test');
</script>
</xmp>

However xmp is deprecated and is not guaranteed to work on all browsers (although most do it correctly). So a hack around is to use a textarea with added formatting. Like this:

<textarea disabled="true" style="border: none;background-color:white;">
    <script>
        alert('test');
    </script>
</textarea>
Improve this answer

5 Comments

Wait...what? HTML gets rendered inside a textarea?
No, just the plaintext, keeping the tags as they are written.
What if my content is: </textarea><script>alert...?
Ahhh...there's the rub. I was thinking of having something that can render HTML, but not execute JavaScript. So that we can have this tag at the beginning of the body tag and avoid any form of script executing while still render HTML content
@Stanislas true, I was trying to avoid it with disabled=true to not let users edit the inside, but if the content is submitted by the user anyway, there needs to be a check that removes that tag

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.