javascript - How to prevent XSS vulnerability from being introduced when using .val()? -
javascript - How to prevent XSS vulnerability from being introduced when using .val()? -
i store unsanitized user input in database, escape on output.
if come in "><svg/onload=alert(3)> input , save in database, load page escapes data, putting input, page source shows:
... value=""><svg/onload=alert(3)>" ... as can see, it's escaped.
however, if run code:
$(".somediv").html($("#myinput").val()); then next set element:
""><svg/onload=alert(3)>" and alert box pops up.
jsfiddle
what doing wrong here? thought escaping info on output needed do, apparently when manipulating dom jquery that's not true.
if want set text, utilize .text(). entities in attribute’s value interpreted, , ""><svg/onload=alert(3)>" is value of attribute.
$(".somediv").text($("#myinput").val()); class="snippet-code-js lang-js prettyprint-override">$('#destination').text($('#source').attr('title')); class="snippet-code-html lang-html prettyprint-override"><script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script> <div id="source" title="&"<">hover on me!</div> <div id="destination"></div>
javascript jquery html xss
Comments
Post a Comment