When you are developing a web application, you should take into account the html injection.
In general, code injection is (from wikipedia):
Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or “inject”) code into a computer program to change the course of execution.
Imagine you are developing a chat application, you’ll have to provide to the users the capability to send text through a text box, other users will display the received messages.
Imagine the sender of a message types the following text into the text box
<b>Hello</b> world
the receiver will display:
Hello world
so he can modify the style of displayed messages!
let’s try with the following pieces of text:
<a href=”http://mysiteisthebest>Hello World</a>
maybe the sender is a spammer, and we are giving to the spammer the capability to spam using our service!
The sender could also insert more malicious code:
<script>window.open("http://bestSite");</script>
The browser of the receiver could open a new window pointing to bestSite!
Experienced hackers could inject more malicious code!
A way to prevent html injection is to show only parsed text, a simple javascript function to parse text is the following one:
function preventHtmlInjection(textString)
{
return(textString.replace(/</g, “<”).replace(/>/g, “>”));
}
Gg1