views:

4585

answers:

4

I'm working with a web service that will give me values like:

var text = "<<<&&&";

And i need to print this to look like "<<<&&&" with javascript.

But here's the catch: i can't use inner HTML(I'm actually sending this values to a prototype library that creates Text Nodes so it doesn't unescape my raw html string. If editing the library would not be an option, how would you unescape this html?

I need to undertand the real deal here, what's the risk of unescaping this type of strings? how does innerHTML does it? and what other options exist?

EDIT- The problem is not about using javascript normal escape/unescape or even jQuery/prototype implementations of them, but about the security issues that could come from using any of this... aka "They told me it was pretty insecure to use them"

(For those trying to undertand what the heck im talking about with innerHTML unescaping this weird string, check out this simple example:

<html>
<head>
<title>createTextNode example</title>

<script type="text/javascript">

var text = "&lt;&lt;&lt;&amp;&amp;&amp;";
function addTextNode(){
    var newtext = document.createTextNode(text);
    var para = document.getElementById("p1");
    para.appendChild(newtext);
}
function innerHTMLTest(){
    var para = document.getElementById("p1");
    para.innerHTML = text;
}
</script>
</head>

<body>
<div style="border: 1px solid red">
<p id="p1">First line of paragraph.<br /></p>
</div><br />

<button onclick="addTextNode();">add another textNode.</button>
<button onclick="innerHTMLTest();">test innerHTML.</button>

</body>
</html>
A: 

Try escape and unescape functions available in Javascript

More details : http://www.w3schools.com/jsref/jsref_unescape.asp

Anuraj
Im told that unescaping html with that method can lead to some serious security issues... that kind of my point....
DFectuoso
Sorry I missed that EDIT :(
Anuraj
No problem, i did it after you answered... dont down vote this guy!
DFectuoso
+2  A: 

Some guesswork for what it's worth.

innerHTML is literally the browser interpretting hte html.

so < becomes the less than symbol becuase that's what would happen if you put < in the html document.

The largest security risk of strings with & is an eval statement, any JSON could make the application insecure. I'm no security expert but if strings remain strings than you should be ok.

This is another way innerHTML is secure the unescaped string is on it's way to becoming html, so theres no risk of it running the javascript.

Fire Crow
+2  A: 

As long as your code is creating text nodes, the browser should NOT render anything harmful. In fact, if you inspect the generated text node's source using Firebug or the IE Dev Toolbar, you'll see that the browser is re-escaping the special characters.

give it a

"<script>"

and it re-escapes it to:

"&lt;script&gt;"

There are several types of nodes: Elements, Documents, Text, Attributes, etc.

The danger is when the browser interprets a string as containing script. The innerHTML property is susceptible to this problem, since it will instruct the browser to create Element nodes, one of which could be a script element, or have inline Javascript such as onmouseover handlers. Creating text nodes circumvents this problem.

Jeff Meatball Yang
Beat me to it. :)
Stobor
Although, I couldn't make it do anything bad with `<script>alert('hi');</script>` - for some reason although the script was inserted, it wasn't being run. But the onload for the images was, so I exploited that instead...
Stobor
@Stobor - could you show me what you mean? I'm curious...
Jeff Meatball Yang
@Jeff: It's been a while, but I only just saw your question. I meant I couldn't get the script on this page to run: http://jsbin.com/onezo - although viewing computed source shows the script tag, it doesn't `alert()`... The alert in my answer works, though.
Stobor
+2  A: 

Change your test string to &lt;b&gt;&lt;&lt;&amp;&amp;&amp;&lt;/b&gt; to get a better handle on what the risk is... (or better, &lt;img src='http://www.spam.com/ASSETS/0EE75B480E5B450F807117E06219CDA6/spamReg.png' onload='alert(document.cookie);'&gt; for cookie-stealing spam)

See the example at http://jsbin.com/uveme (based on your example, using prototype for the unescaping.) Try clicking the four different buttons to see the different effects. Only the last one is a security risk. (You can view/edit the source at http://jsbin.com/uveme/edit) The example doesn't actually steal your cookies...

  1. If your text is coming from a known-safe source and is not based on any user input, then you are safe.
  2. If you are using createTextNode, you are safe.
Stobor
This is really useful. So, bottom line, if there's anything coming from a user, it should be TextNode??
DFectuoso
@DFectuoso: That's one approach, which works if you don't want them to be able to use any HTML features. If, for example, you want them to be styling their text, you have to figure out how you do that safely...
Stobor