How to prevent script tags in text from executing?

Question

I had a text box in my browser. Whatever you typed in the text box and clicked on okay button, the text submitted server through a AJAX request and then spread that message to remaining people, including to me also.

The message is appeared on a <div>.

What's my problem is if I typed html or script tags in that message they are not appearing in the message <div> and they are executing .

If I typed like tags opened and end with script in that middle code is executing on client side, how can I prevent executing and I am able to spread <script> tags also in the messages spreading to all.

Handle your text as text, not HTML.

alex
– alex

2011-03-26 06:05:43 +00:00
Commented Mar 26, 2011 at 6:05 — alex
– alex, Commented Mar 26, 2011 at 6:05
@alex Indeed. Consider an answer ;-)

user166390
– user166390

2011-03-26 07:15:57 +00:00
Commented Mar 26, 2011 at 7:15 — user166390
– user166390, Commented Mar 26, 2011 at 7:15
@psd Thanks, and OK, I shall write one.

alex
– alex

2011-03-26 07:19:36 +00:00
Commented Mar 26, 2011 at 7:19 — alex
– alex, Commented Mar 26, 2011 at 7:19

Community · Accepted Answer · 2020-06-20 09:12:55Z

2

If you want the text to always be text, treat is as text and don't use it to set innerHTML property for example.

Update text nodes instead.

Update

For example, if you had user input in userInput, and you wanted to display it, you would treat it as text, not HTML.

var element = document.body,
    // For example
    userInput = "Alex <script>alert('xss')</script>";

// Don't do this! Your input is text, not HTML.
// element.innerHTML = userInput;

// Use this instead
if ('textContent' in element) {
    element.textContent = userInput;
} else {
    element.innerText = userInput;
}

jsFiddle.

edited Jun 20, 2020 at 9:12

CommunityBot

11 silver badge

answered Mar 26, 2011 at 7:20

alex

492k205 gold badges891 silver badges992 bronze badges

Sign up to request clarification or add additional context in comments.

5 Comments

user529429 Over a year ago

thanks @alex .but i did'nt understood .you only understood my problem ..please give me in breif ..please .please

user529429 Over a year ago

use it to set innerHTML property for example. what is means ?? and how to update text nodes instead .

alex Over a year ago

@suresh See update. You will need to do a little research by yourself as well.

user529429 Over a year ago

and one more doubt ...if(textContent in element) ..what does that special symbols above text content shown??

alex Over a year ago

@suresh See updated code, I accidentally used backticks as string delimiters :)

Paul Sham · Accepted Answer · 2011-03-26 05:59:50Z

2

Have you tried replacing with html character entities? For example replacing all < with <.

answered Mar 26, 2011 at 5:59

Paul Sham

3,2052 gold badges26 silver badges31 bronze badges

Collectives™ on Stack Overflow

How to prevent script tags in text from executing?

2 Answers 2

Update

5 Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Update

5 Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related