Preventing HTML and Script injections in Javascript
Assume I have a page with an input box. The user types something into the input box and hits a button. The button triggers a function that picks up the value typed into the
-
A one-liner:
var encodedMsg = $('<div />').text(message).html();See it work:
https://jsfiddle.net/TimothyKanski/wnt8o12j/
讨论(0) -
I use this function htmlentities($string):
$msg = "<script>alert("hello")</script> <h1> Hello World </h1>" $msg = htmlentities($msg); echo $msg;讨论(0) -
Use this,
function restrict(elem){ var tf = _(elem); var rx = new RegExp; if(elem == "email"){ rx = /[ '"]/gi; }else if(elem == "search" || elem == "comment"){ rx = /[^a-z 0-9.,?]/gi; }else{ rx = /[^a-z0-9]/gi; } tf.value = tf.value.replace(rx , "" ); }On the backend, for java , Try using StringUtils class or a custom script.
public static String HTMLEncode(String aTagFragment) { final StringBuffer result = new StringBuffer(); final StringCharacterIterator iterator = new StringCharacterIterator(aTagFragment); char character = iterator.current(); while (character != StringCharacterIterator.DONE ) { if (character == '<') result.append("<"); else if (character == '>') result.append(">"); else if (character == '\"') result.append("""); else if (character == '\'') result.append("'"); else if (character == '\\') result.append("\"); else if (character == '&') result.append("&"); else { //the char is not a special one //add it to the result as is result.append(character); } character = iterator.next(); } return result.toString(); }讨论(0) -
From here
var string="<script>...</script>"; string=encodeURIComponent(string); // %3Cscript%3E...%3C/script%3讨论(0) -
Try this method to convert a 'string that could potentially contain html code' to 'text format':
$msg = "<div></div>"; $safe_msg = htmlspecialchars($msg, ENT_QUOTES); echo $safe_msg;Hope this helps!
讨论(0) -
You can encode the
<and>to their HTML equivelant.html = html.replace(/</g, "<").replace(/>/g, ">");How to display HTML tags as plain text
讨论(0)
加载中...
- 热议问题