Solved

escape HTML literals to be sure there are no executable script hack attempts

Posted on 2015-01-09
9
180 Views
Last Modified: 2015-01-09
Hi Experts,

Let's say I'm outputting something that I've taken input for  previously.  It's possible that someone tried to place executable javascript in that input field.  I want to write a function that ensures a literal will not execute by escaping out the relevant characters.

Is there a standard way to do this?  What's the best way?

Thanks,
Mike
0
Comment
Question by:thready
9 Comments
 
LVL 32

Assisted Solution

by:Big Monty
Big Monty earned 100 total points
Comment Utility
the easiest way is to escape the < and > chars and use their html expressions.

Eg &lt; instead of < and &gt; instead of > .

var txt = "<script>blah</script>";
var escapedTxt = txt.replace("<", "&lt");
escapedTxt = txt.replace(">", "&gt");
0
 
LVL 9

Assisted Solution

by:sudheeshthegreat
sudheeshthegreat earned 100 total points
Comment Utility
Some of the JS frameworks like jQuery, Prototype and Underscore have such functions to HTML-encode a string.
0
 
LVL 53

Accepted Solution

by:
COBOLdinosaur earned 200 total points
Comment Utility
The prevention of code injection should be part of the routine sanitization server side.  If you are using PHP you have al the method necessary to cleanup anything.  If the data is being stored in a database then using PDO objects forces security before you can insert the data to a DB table.  

Trying to prevent code injection with scripting on the client side is inviting hacks. Idon't care how good you are; the hackers will still beat you if you rely on client side solutions.  There ar just to may ways to fool a browser, because its job is to make things work even with errors, while on the server side the priority is on accessing and protecting resources.

Cd&
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
Comment Utility
In general, you need to accept only 'good' input and reject all other input.  That requires you to define what is good input.  And Cd& is correct.  Client side filtering should be to help the client fill out the form correctly.  Server side filtering is to protect the server and the database.  All of my form pages use both.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 53

Expert Comment

by:COBOLdinosaur
Comment Utility
A lot of the client side helper stuff can be implemented automatically in HTML5, all we need now is to wait for the older browser to phase out and we can get rid of almost all the form related scripting.

Cd&
0
 
LVL 1

Author Closing Comment

by:thready
Comment Utility
Thanks everyone!
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
You're welcome.  On several sites, I've had to kill the HTML5 crap because it did it wrong for what was needed.  'automatically' usually means that you have fixed all the problems and now it works 'automatically'.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
Comment Utility
LOL... when was the last time anything was delivered by any major software vendor without bugs?

Cd&
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Oh... yesterday between 4:03 and 4:04 AM...  Never.  And the biggest bug of all has always been 'them' believing without any evidence that they knew what was needed.  As has been said... the nice thing about standards is that there are so many of them to choose from.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
In this tutorial viewers will learn how to position items using CSS's three positioning types Create a new HTML document with an internal stylesheet.: Create another div in CSS and name it Absolute : Type "position:absolute;" and "top:10px; left:50p…
In this tutorial viewers will learn how to code links for mobile sites that, once clicked, send a call or text to a specified number. For a telephone link (once clicked, calls a number), begin with a normal "<a href=" link tag. For the href, specify…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now