I compose a large HTML file out of a huge unformatted text file. Now my fear is that the text file might contain some malicious JavaScript code. To avoid any damage I scan the text and replace any < or > with lt and gt. That is quite effective, but it's not really good for the performance.
Is there some tag or attribute or whatever that allows me to turn JavaScript off within the HTML file? In the header perhaps?
Since you've considered replacing all < and > by the HTML entities, a good option would consist of sending the Content-Type: text/plain header.
If you include want to show the contents of the file, replacing every & by & and every < by < is sufficient to correctly display the contents of the file. Example:
Input: Huge wall of text 1<a2 &>1
Output: Huge wall of text 1<a2 &>1
Unmodified output, displaying in browser: Huge wall of text 11 (<..> interpreted as HTML)
If you cannot modify code at the back-end (server-side), you need a HTML parser, which sanitised your code. JavaScript is not the only threat, embedded content (<object>, <iframe>, ...) can also be very malicious. Have a look at the following answer for a very detailed HTML parser & sanitizer :
Can I load an entire HTML document into a document fragment in Internet Explorer?
When you have a control of backend, you can provide file with header
Content-type: text/plain;
No, you can't disable JavaScript from inside a webpage, rather, you should sanitize any and all input from your users to make sure no malicious scripts go through your script.
Whether it's by remove all script tags or replacing < and >, you need to make sure your input is clean.
Do a search for <script and replace with <!--<script and search for </script> and replace with </script>-->.
This should comment out all scripts in the file.
you need a sandbox or clean html code. look phpids or html purifier.
