2 
<!DOCTYPE html>
<html>
<head>
    <script>
        function XSSPrevent(){
            var usercomments = document.getElementById('usertext').value;
            if(usercomments.contains("<script>"){
                alert("Failed");
            } else
            alert("Thank you for your comments" + usercomments);
        }
    </script>
</head>
<body>
    <form>
        <input type="text" id="usertext" maxlength=50/>
        <input type="submit" value="Enter" onclick="XSSPrevent()"/>
    </form>
</body>

It is my first time to work with both HTML form and javascript. Console

shows an unexpected token { after if loop. What's wrong?
I know it is not a good idea to use an alert method in this situation but I

just wanna check my function quickly.

Improve this question
9
  • you realize that there could be tons of other ways to xss the site, right? Commented Aug 5, 2017 at 14:45
  • @mehulmpt yea I know. For example replacing. But My question was not that. Commented Aug 5, 2017 at 14:46
  • You should use a stable HTML sanitizer on your server. Commented Aug 5, 2017 at 14:47
  • 2
    @ProgramLover The general rule is: never trust the client. No matter how secure you think your site is on the client side, the server side will still need to do all the same validation and sanitation. Commented Aug 5, 2017 at 14:53
  • 1
    Thank you everybody for nice suggestions! I will remember and remember all your nice advice Commented Aug 5, 2017 at 15:21

2 Answers 2

Reset to default
3

You're missing a bracket:

function XSSPrevent(){
    var usercomments = document.getElementById('usertext').value;
    if(usercomments.contains("<script>")){ // <-- was missing ) here
        alert("Failed");
    } else
    alert("Thank you for your comments" + usercomments);
}

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

TL;DR: Front-end code is only for making things pretty/user-friendly and for making the experience better for people who use it as intended. Backend (i.e. the part that the user can't change) is the only way to handle security.

As someone already addressed the superficial answer (i.e. how to fix your existing question to not throw errors) the more important thing in my mind is hammering home why, or rather why not to do it.

JavaScript is front-end, which means it can be disabled and even modified! They can just take out that line of your code and proceed unhindered.

Come up with a back-end solution instead. If you're processing the form there's some kind of back-end, and they all have ways to check for and handle bad inputs. Learn how, it's worth it, and mostly not that hard.

It makes sense to have a function on the front-end in addition - if you think there are any people who might expect to be allowed to insert script tags... - In that case you could have a function (with a different name to avoid confusion) that for friendly ux purposes tells them that they're not allowed to insert script tags. Though I've never seen that kind of use case.

Improve this answer

3 Comments

Thank you for an answer!
if you edit what backend you are using for the form I'll point you into the direction of learning how to validate it :)
Got a down vote, would be curious to hear why so I can improve this answer or write better ones in the future. - Or at least learn more on this issue, if I'm wrong :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.