Last active
November 6, 2022 11:23
-
-
Save yarliganfatih/2e5e3537a439acf5c4701feea5fde583 to your computer and use it in GitHub Desktop.
a function to render data from harmful form inputs harmless (XSS)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const blockInputInjection = (input) => { | |
| return input.replace(/<\/[^>]*>/g, "</div>").replace(/<[^>]*>/g, "<div hidden>"); | |
| } | |
| // Sample Usage | |
| harmfulInput = 'Hi, <b>Listen Me Now</b><br></br><img src="x"><br/><img src="y"/><script>alert("You have been hacked.");fetch("POST url datas");</script>'; | |
| harmlessInput = blockInputInjection(harmfulInput); | |
| // Result | |
| 'Hi, <div hidden>Listen Me Now<div hidden><div hidden><div hidden><div hidden><div hidden><div hidden><div hidden>alert("You have been hacked.");fetch("POST url datas");<div hidden>' | |
| /* | |
| If saved harmfulInput to database directly | |
| If there is no security vulnerability for sql injection, it will not damage the database, but it waits for the moment to be activated like a trojan horse. | |
| Clients entering the page where this data is displayed will be exposed to the rendered version of this data. | |
| the rendered version of this data can cause; | |
| - can further highlight its own posting in listings | |
| - visual content that can break responsive design | |
| - code phrases that can degrade site performance | |
| - spam and blocks that make the site unusable for clients | |
| - alerts that appear to be sent by the site administration | |
| - it can fetch some important data of the client in the background with the fetch method. | |
| - can apply a phishing method to the client | |
| In short, it can embed any front end code. | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment