Detecting html tags or javascript code in a text field

Posted on 2010-04-08
Medium Priority
Last Modified: 2013-11-16
Hi all,

I'm trying to detect if html tags or javascript code is introduced in my one field (search field) form. How can I do that?

Here's the variable with the string introduced in the field:
var wordsToSearch  = document.getElementById("searchfield").value;

Thanks a lot
Question by:Dada44
LVL 19

Expert Comment

ID: 30111501
You can use regular-expressions to parse if the text introduced has "<" ">" or "javascript:" inside it... however, if you are afraid of code-hacking you can limit the size of the text introduced in the field and eliminate "/' characters to prevent inserted text from breaking your query statement and start executing malicious code.
LVL 83

Expert Comment

ID: 30111505
LVL 30

Expert Comment

by:Brad Howe
ID: 30111728

What you are looking for is to HTMLencode your strings. When you HTML encode a string, dangerous characters such as < and > are replaced by HTML entity references such as < and >. So when a user inputs text such as <html><html> or <script></script>, it is converted to <script></script>. The encoded string no longer executes as a JavaScript script when interpreted by a browser.

Take a look here, http://lunarmedia.com/blogs/lunarmedia_blog/archive/2006/10/23/120405.aspx
This is just an example.

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

LVL 14

Expert Comment

ID: 30120137
May I point out that using JavaScript to prevent JavaScript injection is actually wrong.

The form can be generated remotely, bypassing the client-side injection prevention (the JavaScript you are asking for) and sent to the server, to deliver whatever payload they want.

The only reliable solution is to prevent the injection on the server-side.

Bottom-line, without server-side countermeasures, I can bypass your JavaScript in about 3 minutes.

What you need to do is protect your server-side script (the script that handles the form that I am submitting).

If you are using a server-side script to process the form, tell us what language that script is written in (ASP, Perl, PHP etc) and we can point you to some easy ways to protect your database.

Author Comment

ID: 30124685
Thanks very much  to all for answering.

  I've limited the characters one can introduce in the field but I'm going nuts with regular expressions, too much to learn too little time to implement :(

tomaugerdotcom, for  the server side I'm using PHP, what can I do to protect the db from it?

Thanks once again!!

Author Comment

ID: 30127993
In the regex chapter I'm doing:

wordsToSearch = wordsToSearch.replace(/\//g, "");
wordsToSearch = wordsToSearch.replace("\\", "");

In order to replace all / and all \ for nothing. But it's replacing the ones in the begining of the string .. if I add some / or \ in the middle, it won't work, they will show.
Also I'm trying the same with the brackets.

Thanks again
LVL 14

Accepted Solution

tomaugerdotcom earned 2000 total points
ID: 30138453
Okay, for the Regex in your JS:

your Regular Expressions appear to be doing what you're asking them to do: find every occurrence of / and \ and replace with nothing (0 width string).

Can you be more specific about what it's doing that you feel it should not be doing?

And for the PHP, I'm assuming you're writing to your database, right, so be sure to use at the very least
whenever you want to use 'myInputField' within an SQL query, or if you're printing/echoing something back to the page.

mysql_real_escape_string() will strip out all 'nasties' that may be harmful to your database, and will convert all dangerous characters (< > / \ etc) into their code equivalents, which are safe.

To take it one step further, in terms of protecting your database, also be sure to use the new method of read/writing to a mysql database, "mysqli". This uses a concept called "prepared statements". Now AFAIK, this will not help so much on the JavaScript side, since your database couldn't care less about JavaScript. So use mysql_real_escape_string() as well. This may sound tedious, but trust me, cleaning up a corrupted database or hacked website is far more tedious. Just ask the guys over at WordPress!!!

Here's the docs on prepared statements. They're very easy to implement:

Example from the docs
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
$stmt = mysqli_prepare($link, "SELECT District FROM City WHERE Name=?"; // the ? is where your variable will go
// now we substitute the variable in place of the "?"
mysqli_stmt_bind_param($stmt, "s", mysql_real_escape_string($city)); // added real_escape_string cause I'm paranoid


Author Closing Comment

ID: 31712267

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
Introduction JSON is an acronym for JavaScript Object Notation.  It is a text-string data transport mechanism, capable of representing simple or complex data structures in a consistent and easy-to-read manner.  Similar in concept to XML, but more e…
The viewer will learn how to dynamically set the form action using jQuery.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question