escape HTML literals to be sure there are no executable script hack attempts

Posted on 2015-01-09
Last Modified: 2015-01-09
Hi Experts,

Let's say I'm outputting something that I've taken input for  previously.  It's possible that someone tried to place executable javascript in that input field.  I want to write a function that ensures a literal will not execute by escaping out the relevant characters.

Is there a standard way to do this?  What's the best way?

Question by:thready
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 33

Assisted Solution

by:Big Monty
Big Monty earned 100 total points
ID: 40540799
the easiest way is to escape the < and > chars and use their html expressions.

Eg &lt; instead of < and &gt; instead of > .

var txt = "<script>blah</script>";
var escapedTxt = txt.replace("<", "&lt");
escapedTxt = txt.replace(">", "&gt");

Assisted Solution

sudheeshthegreat earned 100 total points
ID: 40540886
Some of the JS frameworks like jQuery, Prototype and Underscore have such functions to HTML-encode a string.
LVL 53

Accepted Solution

COBOLdinosaur earned 200 total points
ID: 40541098
The prevention of code injection should be part of the routine sanitization server side.  If you are using PHP you have al the method necessary to cleanup anything.  If the data is being stored in a database then using PDO objects forces security before you can insert the data to a DB table.  

Trying to prevent code injection with scripting on the client side is inviting hacks. Idon't care how good you are; the hackers will still beat you if you rely on client side solutions.  There ar just to may ways to fool a browser, because its job is to make things work even with errors, while on the server side the priority is on accessing and protecting resources.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 40541165
In general, you need to accept only 'good' input and reject all other input.  That requires you to define what is good input.  And Cd& is correct.  Client side filtering should be to help the client fill out the form correctly.  Server side filtering is to protect the server and the database.  All of my form pages use both.
LVL 53

Expert Comment

ID: 40541205
A lot of the client side helper stuff can be implemented automatically in HTML5, all we need now is to wait for the older browser to phase out and we can get rid of almost all the form related scripting.


Author Closing Comment

ID: 40541212
Thanks everyone!
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40541225
You're welcome.  On several sites, I've had to kill the HTML5 crap because it did it wrong for what was needed.  'automatically' usually means that you have fixed all the problems and now it works 'automatically'.
LVL 53

Expert Comment

ID: 40541252
LOL... when was the last time anything was delivered by any major software vendor without bugs?

LVL 83

Expert Comment

by:Dave Baldwin
ID: 40541329
Oh... yesterday between 4:03 and 4:04 AM...  Never.  And the biggest bug of all has always been 'them' believing without any evidence that they knew what was needed.  As has been said... the nice thing about standards is that there are so many of them to choose from.

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article discusses four methods for overlaying images in a container on a web page
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question