0

I need to prevent adding scripts inside input fields.is there any way to prevent adding javascript codes in text fields/text areas?

function filter($event) {
    var regex = /[^a-zA-Z0-9_]/;
    let match = regex.exec($event.target.value);
    console.log(match);
    if (match) {
        $event.preventDefault();
    } else {
        return true;
    }
}
Improve this question
6
  • Answered here stackoverflow.com/a/38085541/15866576 Commented Jun 16, 2022 at 9:05
  • So you want to stop the user from entering code that could potentially be run? Just sanitize it and replace any characters (parentheses, quotes, etc) with an encoded version instead of the literal string. Commented Jun 16, 2022 at 9:05
  • 2
    @Basta No, I don't think that's the case - I believe OP wants users to not be able to enter JS code in an input. Commented Jun 16, 2022 at 9:05
  • @JackBashford yes, I want to stop pasting or type javascript codes in Html input fields Commented Jun 16, 2022 at 9:14
  • Well then you have to have some way to detect if a string is a JavaScript code fragment (which is incredibly difficult, IMHO - just block specific characters like ()[]{}; and you should have some small success (not much you can do without them as far as I can think right now). Commented Jun 16, 2022 at 9:17

3 Answers 3

Reset to default
1

Using the xss package works well (https://github.com/leizongmin/js-xss)

With nodeJs:

var xss = require("xss");
var html = xss('<script>alert("xss");</script>');
console.log(html);

With HTML file

<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
<script>
  // apply function filterXSS in the same way
  var html = filterXSS('<script>alert("xss");</scr' + "ipt>");
  alert(html);
</script>

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can sanitize the input by defining the blacklist regex which contains the patterns not allowed by the input and then replaced the part of input string with empty string if matched with the blacklist regex.

For now I just added a simple blackList regex (You can modify it as per your requirement) which will replace all the text comes between < and >. For Ex: If user enter <script>Hello</script> (This whole input text will get replaced with the empty string on keyup event.

const blackList = /<+>/ig

function sanitizeInput() {
  const inputStr = document.getElementById('inputStr').value;
  console.log('inputStr', inputStr)
  document.getElementById('result').innerHTML = inputStr?.replace(blackList, '')
}
<input type="text" id="inputStr" onkeyup="sanitizeInput()"/>

<div id="result"></div>

Improve this answer

Comments

0

here I have found the solution, I think it will work.

input.replace(/</g, "<").replace(/>/g, ">").replace(/=/g, "equal;");

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.