Tips for eliminating inline scripts or HTML injections from input text using JavaScript or jQuery

Although this type of question may have been asked multiple times before, I am confident that this one is unique. On the server side, I have an Input TextArea control and I am attempting to eliminate all inline scripts or HTML injections. I have successfully removed script tags by using the following code-

$(document).ready(function () {
            $('#btnHTML').click(function () {
                var textarea = document.getElementById("txtar1");
                var stringOfHtml = textarea.value;
                var wrappedString = '<div>' + stringOfHtml + '</div>';
                var noScript = wrappedString.replace(/script/g, "THISISNOTASCRIPTREALLY");
                var html = $(noScript);
                html.find('THISISNOTASCRIPTREALLY').remove();
                var tmp = document.createElement("DIV");
                tmp.id = "tmp";
                tmp.innerHTML = html.html().replace(/THISISNOTASCRIPTREALLY/g, 'script');
                document.body.appendChild(tmp);
                alert(html.html().replace(/THISISNOTASCRIPTREALLY/g, 'script'));
            });
<textarea id="txtar1" style="width:200px;height:100px"></textarea><br/>
<input type="button" id="btnHTML" value="Remove HTML" />

However, my objective remains unaccomplished as I am seeking to prevent or eliminate all forms of inline script injection. Some examples include-

<div>
<table border="2">
<tr>
<td><b>ABCD</b></td>
<td onclick="javascript:alert('Hello')">
EFGH</td>
</tr>
</table>
</div>

<div>
<table border="2">
<tr>
<td><b>Test</b></td>
<td alert('Hello')>
Success</td>
</tr>
</table>
</div>

<META HTTP-EQUIV="refresh" CONTENT="1;url=http://www.test.com">
<BR SIZE="&{alert('Injected')}"> 
<DIV STYLE="background-image: url(javascript:alert('Injected'))">

Any assistance or recommendations would be greatly appreciated.

javascriptjqueryhtmlcssjavascript-injection

Answer №1

A more secure approach to executing JavaScript on a website is to avoid inline code with 

<script> ... source ... </script>
and instead utilize external JavaScript files by importing them using <script src="...">. This helps reduce the risk of attacks and enhances the overall safety of your website. To implement this in modern browsers, it is recommended to utilize the 'Content-Security-Policy' (CSP) property, which can be set either through meta attributes or headers.

For further insights on this topic, you may find this guide useful.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Analyzing latency in node.js through numerous requests

Is there a way to send multiple requests in a loop, and measure the time of each request? In PHP I'd do: require 'vendor/autoload.php'; use GuzzleHttp\Client; $client = new Client(); for ($i = 0; $i < 100; $i++) { $start = mic ...

javascriptnode.jsrequest

Using the power of AJAX, retrieve data from a PHP script and showcase the response within

Within my HTML file, I have implemented a feature that allows users to input a value. To validate this input, I created a PHP script that checks if the entered value exists in the database. The script returns the following JSON response: {"active":true} ...

javascriptphpjqueryhtmlajax

Using JSON to store the image URLs instead of encoding them in base64

I am currently utilizing Three.js to store and retrieve objects in a database. The objects are being inserted as JSON format. However, the issue I am facing is that when using JSON.stringify or toJSON(), it converts the image url (textures) into base64 fo ...

javascriptjsonthree.jsbase64

Warning happens two times upon performing a right-click

I've got some code that checks the mouse's position, and triggers an alert followed by a redirect if a certain condition is met. It functions correctly, however, I noticed that if you right-click in one area and then left-click in another area t ...

javascriptjqueryhttp-redirectalert

What causes Firefox's CPU to spike to 100% when a slideshow begins that adjusts the width and left coordinates of certain divs?

Seeking Advice I'm in need of some help with identifying whether the code I'm working on is causing high CPU usage in Firefox or if it's a bug inherent to the browser itself. The situation is getting frustrating, and I've run out of so ...

javascriptjqueryhtmlcss

Using Jquery to dynamically adjust select options based on the value of another select option

My goal is to create a short form where each select box dynamically populates the next one. The options for the first select box are hardcoded in the body, while the subsequent options are defined as an HTML string in a variable corresponding to the value ...

jquery

Adding Vuetify to a Vue web component, then proceed to pass props to enhance its functionality

Currently working on developing a web component with Vue and using vuetify component library. The goal is to export it as a web component, but facing difficulties when trying to pass props to the exported component in the index.html file. Following the ste ...

javascriptvue.jsvue-componentvuetify.js

Are you initiating several Ajax requests simultaneously?

What is the best approach to updating multiple sections of a page using Ajax? I am working with two divs and two PHP files. My goal is to use jQuery Ajax to populate one div with data received from one PHP file and the other div with data from the second ...

javascriptjqueryajax

"Dynamic" visual in a Vue.js development scheme

Utilizing Vue.js for the development of a hybrid mobile application has been my current focus, with the Quasar framework serving as a key component. Recently, I incorporated an image into the application using the <img /> tag and utilized the followi ...

javascriptcssvue.js

Benefits of using props destructuring in React - beyond just being a syntactic shortcut

This idea might not be exclusive to React, but I've struggled to discover a compelling reason beyond concise and easier-to-read code. ...

javascriptreactjs

Unable to utilize await within a then statement to make a subsequent API call in a React application

Here is my scenario: I am making a call to one API, and in the `then` section of that API call, I am making another API call. The output of the first API will be passed as input to the second API. await axios .post(process.env + '/certificates/uplo ...

javascriptreactjsreact-nativeaxios

Tips for updating the color of carousel image slider indicators (arrows) specifically for the second slide

Is there a way to customize the carousel image slider indicator arrows for only the second image slide? For the first slide, I want the indicators to be black, but for the second slide, I would like them to be white. Can this be achieved? I attempted to ...

javascripthtmlcss

Using Javascript to Retrieve Icecast Metadata

I am currently developing a web radio application that utilizes AngularJS and Laravel 5 to read Icecast streams. Currently, I have implemented loading the stream into an html5 audio element which is working well. However, I am facing an issue where the vie ...

javascriptangularjshtmlicecast

Adding a logo to a website that utilizes CSS, HTML, JS, and Bootstrap

Hey there! I'm new to the world of Front-end development and I've been learning by watching videos and reading everything I can find on the Internet. Currently, I'm using HTML, CSS, and JS for my website. Can anyone help me figure out how to ...

javascripthtmlcssheader

How can I utilize jQuery to add tags in a box?

I have an idea for a feature similar to the Stack Overflow tag insert. My goal is to have a box where I can type in a tag, click 'Add', and see it appear above. Additionally, I want this action to update an array called 'SelectedTags'. ...

javascriptjqueryhtmltags

What could be the reason behind jQuery replacing the entire span with .text?

I am dealing with the following HTML code snippet: <p><input id="revenue" type="text" value="100000" /><span id="howmuch"><a href="" class="ka_button small_button small_cherry" target="_self" style="opacity: 1; "><span>How Mu ...

javascriptjqueryhtml

Is the function failing to detect the updated variable because it is not declared as a global variable?

I have created a quiz with 7 select boxes and a submit button, aiming to display a warning error if the select boxes are not changed or show the score if they are changed. I initialized a variable called 'changed' as false. When a select box is ...

javascriptjqueryhtml

Transform the image background on mouse hover using CSS

On my php page, I am dynamically visualizing thumbnails. To ensure that they are all the same size, I use the following method: <a class="zoom" href="..."> <img src="thumb/default.png" width="130" style="background-image:url(thumb/<?php echo $ ...

css

Can the minimum length be automatically filled between two elements?

I'm struggling to find a way to adjust the spacing of the "auto filling in" dots to ensure a minimum length. Sometimes, on smaller screens, there are only one or two dots visible between items. Is there a way to set a minimum length for the dots in th ...

javascripthtmlcssspace

Node.js: retrieving a webpage and waiting for it to load before extracting data

Is it possible to scrape a webpage using just node.js without relying on other libraries like phantom.js? That is the question I have been pondering lately. In my code below, I am requesting a webpage with request and then using cheerio to extract data by ...

javascriptnode.jsasynchronousscrape