tags:

views:

95

answers:

2

Is there a Javascript equivalent of libraries like HTMLPurifier, which remove XSS code from strings?

+7  A: 

Generally speaking, by the time Javascript code is running, it's too late to protect yourself against an XSS attack. You need to protect against it at the server, not the client.

bdonlan
This isn't strictly true: there could be a case where an ajax app accepts input from a textarea and injects content into the DOM, in which case you'd definitely want to sanitize it.
Jed Schmidt
That's a good rule of thumb to have the server analyze every user input strictly to ensure attacks are prevented at a deep level.
Jan Gressmann
@Jed, what is the attack vector there, other then the user attacking herself. I don't really see a security issue with that.
Ben Schwehn
Ok, I guess preventing accidental script/tag injection could be a good thing there.
Ben Schwehn
@Jed, this can be avoided by adding text nodes instead of manipulating innerHTML
bdonlan
Suppose I am getting a JSON response back from my server, and the part of this response which I am adding to the HTML page, is part of a stringFor ex: {data: "this needs to be added to html and can be unsafe"}Then also am I subject to what you are saying. Can't I run the HTML purifier(JS version) on the above string.
akshat
+1  A: 

Google-caja project should help you.

Sergey Ilinsky