1 
 $("#id").append(dataHtml);

when injected with <script>alert('test)</script> an alert box appears on the screen showing test.I encoded the html but then it appeared as plain text.

I get the value of dataHtml from database.Because of some reasons I have to do this all on the client side using javascript/jquery.

How do i ignore such tags/injection while maintaing the html?

Improve this question
2
  • Am i understanding correctly that you want to exclude all script tags? Commented Sep 26, 2014 at 8:07
  • yes,I want to.anything malicious like that. Commented Sep 26, 2014 at 8:08

2 Answers 2

Reset to default
1

you could just use a simple regular expression to remove all script tags:

dataHtml = dataHtml.replace(/<script.*>[\s\S]*.*[\s\S]*<\/script>/g,"");

some explanation:

  • .* : all characters except linebreaks (* times)
  • [\s\S]* : linebreaks

to test if everything matches as expected you can use an online tool with an example of your dataHtml value (http://www.regexr.com/ for example).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Append the script element with the type attribute set to something other than text/javascript, i.e. like this:

<script type="text/template">alert('test');</script>

This script tag will not be parsed or run as javascript.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.