#1
  1. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,247
    Rep Power
    220

    How to sanitise Jquery text update?


    Hey;

    How can I make sure this sanitizes user's input?

    I think I need to use something like Codeigniter's html_escape but at the front-end.

    Code:
    $( "#text_content" ).keyup(function() 
        {
            $('#dragable_text').text($('#text_content').val());
        });
    Thanks
  2. #2
  3. Maddening Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,453
    Rep Power
    9645
    Originally Posted by English Breakfast Tea
    I think I need to use something like Codeigniter's html_escape but at the front-end.
    Actually no, you don't. Stick to jQuery methods like .text() and .val() and everything will be fine.
  4. #3
  5. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Caro, Michigan
    Posts
    14,815
    Rep Power
    4554
    Originally Posted by requinix
    Actually no, you don't. Stick to jQuery methods like .text() and .val() and everything will be fine.
    Are you saying it's already escaped? So I can take the val() from one element and assign it to another without having to worry that the HTML could be affected? That's good to know...
    -- Cigars, whiskey and wild, wild women. --
  6. #4
  7. Maddening Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,453
    Rep Power
    9645
    .text() is HTML-safe because that's what it does.
    We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML.
    XSS is about confusing text data with HTML markup. If you use something that only ever deals with text content then there is no risk of XSS.

    Plus, XSS is only a vulnerability when it can be triggered by an outside source automatically - injecting Javascript into one's own page is not a problem. If the #text_content can be set on page load (either with a query string or POSTed form) then there could be a risk (if it weren't for the .text() thing) however it would require the user putting focus on that textbox and hitting a key for it to activate.

    Comments on this post

    • Paul-Ninja agrees

IMN logo majestic logo threadwatch logo seochat tools logo