Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 202
  • Last Modified:

escape HTML literals to be sure there are no executable script hack attempts

Hi Experts,

Let's say I'm outputting something that I've taken input for  previously.  It's possible that someone tried to place executable javascript in that input field.  I want to write a function that ensures a literal will not execute by escaping out the relevant characters.

Is there a standard way to do this?  What's the best way?

Thanks,
Mike
0
thready
Asked:
thready
4 Solutions
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
the easiest way is to escape the < and > chars and use their html expressions.

Eg &lt; instead of < and &gt; instead of > .

var txt = "<script>blah</script>";
var escapedTxt = txt.replace("<", "&lt");
escapedTxt = txt.replace(">", "&gt");
0
 
sudheeshthegreatCommented:
Some of the JS frameworks like jQuery, Prototype and Underscore have such functions to HTML-encode a string.
0
 
COBOLdinosaurCommented:
The prevention of code injection should be part of the routine sanitization server side.  If you are using PHP you have al the method necessary to cleanup anything.  If the data is being stored in a database then using PDO objects forces security before you can insert the data to a DB table.  

Trying to prevent code injection with scripting on the client side is inviting hacks. Idon't care how good you are; the hackers will still beat you if you rely on client side solutions.  There ar just to may ways to fool a browser, because its job is to make things work even with errors, while on the server side the priority is on accessing and protecting resources.

Cd&
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
Dave BaldwinFixer of ProblemsCommented:
In general, you need to accept only 'good' input and reject all other input.  That requires you to define what is good input.  And Cd& is correct.  Client side filtering should be to help the client fill out the form correctly.  Server side filtering is to protect the server and the database.  All of my form pages use both.
0
 
COBOLdinosaurCommented:
A lot of the client side helper stuff can be implemented automatically in HTML5, all we need now is to wait for the older browser to phase out and we can get rid of almost all the form related scripting.

Cd&
0
 
threadyAuthor Commented:
Thanks everyone!
0
 
Dave BaldwinFixer of ProblemsCommented:
You're welcome.  On several sites, I've had to kill the HTML5 crap because it did it wrong for what was needed.  'automatically' usually means that you have fixed all the problems and now it works 'automatically'.
0
 
COBOLdinosaurCommented:
LOL... when was the last time anything was delivered by any major software vendor without bugs?

Cd&
0
 
Dave BaldwinFixer of ProblemsCommented:
Oh... yesterday between 4:03 and 4:04 AM...  Never.  And the biggest bug of all has always been 'them' believing without any evidence that they knew what was needed.  As has been said... the nice thing about standards is that there are so many of them to choose from.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now