Monday, May 20, 2024
Homepage · html
 Popular · Latest · Hot · Upcoming
58
rated 0 times [  61] [ 3]  / answers: 1 / hits: 46808  / 15 Years ago, tue, july 7, 2009, 12:00:00

I'm working with a web service that will give me values like: 



var text = <<<&&&;


And i need to print this to look like <<<&&& with javascript.



But here's the catch: i can't use inner HTML(I'm actually sending this values to a prototype library that creates Text Nodes so it doesn't unescape my raw html string. If editing the library would not be an option, how would you unescape this html?



I need to undertand the real deal here, what's the risk of unescaping this type of strings? how does innerHTML does it? and what other options exist?



EDIT- The problem is not about using javascript normal escape/unescape or even jQuery/prototype implementations of them, but about the security issues that could come from using any of this... aka They told me it was pretty insecure to use them



(For those trying to undertand what the heck im talking about with innerHTML unescaping this weird string, check out this simple example:



<html>

<head>

<title>createTextNode example</title>



<script type=text/javascript>



var text = &lt;&lt;&lt;&amp;&amp;&amp;;

function addTextNode(){

    var newtext = document.createTextNode(text);

    var para = document.getElementById(p1);

    para.appendChild(newtext);

}

function innerHTMLTest(){

    var para = document.getElementById(p1);

    para.innerHTML = text;

}

</script>

</head>



<body>

<div style=border: 1px solid red>

<p id=p1>First line of paragraph.<br /></p>

</div><br />



<button onclick=addTextNode();>add another textNode.</button>

<button onclick=innerHTMLTest();>test innerHTML.</button>



</body>

</html>

More From » html
 Answers
636

Change your test string to &lt;b&gt;&lt;&lt;&amp;&amp;&amp;&lt;/b&gt; to get a better handle on what the risk is... (or better, &lt;img src='http://www.spam.com/ASSETS/0EE75B480E5B450F807117E06219CDA6/spamReg.png' onload='alert(document.cookie);'&gt; for cookie-stealing spam)



See the example at http://jsbin.com/uveme/139/ (based on your example, using prototype for the unescaping.) Try clicking the four different buttons to see the different effects. Only the last one is a security risk. (You can view/edit the source at http://jsbin.com/uveme/139/edit) The example doesn't actually steal your cookies...




  1. If your text is coming from a known-safe source and is not based on any user input, then you are safe.

  2. If you are using createTextNode to create a text node and appendChild to insert that unaltered node object directly into your document, you are safe.

  3. Otherwise, you need to take appropriate measures to ensure that unsafe content can't make it to your viewer's browser.



Note: As pointed out by Ben Vinegar Using createTextNode is not a magic bullet: using it to escape the string, then using textContent or innerHTML to get the escaped text out and doing other stuff with it does not protect you in your subsequent uses. In particluar, the escapeHtml method in Peter Brown's answer below is insecure if used to populate attributes.


[#99181] Wednesday, July 1, 2009, 15 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
ignacio
Add To Favorites
Follow
Total Points: 467
Total Questions: 128
Total Answers: 79
Location: Luxembourg
Member since Tue, Mar 14, 2023
1 Year ago
ignacio questions
Tue, Aug 16, 22, 00:00, 2 Years ago
Fri, Jun 10, 22, 00:00, 2 Years ago
Fri, Jun 4, 21, 00:00, 3 Years ago
Fri, Apr 23, 21, 00:00, 3 Years ago
Wed, Jul 22, 20, 00:00, 4 Years ago
View All
;