Using plain javascript to espace HTML

Published: 03/02/2021

At work I’ve spent the last 6 months working on security issues. From jQuery updates to React, Angular and bootstrap and every possible framework in between. I’m going to show you a little trick you can use from the DOM to sanitize output without bringing in a library.

This is the messy jQuery code I’m working to fix:

  $.ajaxEx({
    url: __GLOBAL_SCOPE__.APIRoot + "/super/createccUser",
    method: "post",
    data: param,
    success: function (res) {
        if (res.code === 0) {
        $('#message #messageText').html('').append('<p>Create user success!</p>');
        userManagement.resetModal();
        $('#createUser').modal('hide');
        $('#message').modal();
        } else {
        $('#message #messageText').html('').append('<p>Error:' +res.msg+ '</p>');
        $('#message').modal();
        console.error(res);
        }
    },
    error: function (err) {
        $('#message #messageText').html('').append('<p>Error:' + err + '</p>');
        $('#message').modal();
        console.error(err);
    }
});

Veracode is complaining about the response in the two functions, the res.msg and err variables because they could contain HTML and inject a Cross Site Scripting bug (XSS). I could do something like use Regex, set something on the global scope or import something like HTML Escape Goat. Or I could use the dom method: document.createTextNode.

Being a through developer, I figured out that if you did something like document.createTextNode("<h1>jQuery is stupid</h1>") will give you the string encoding with tags of jQuery is stupid. Just what I wanted; so a minor change to the code and veracode is no longer complaining. Doc create text node will return a string, therefore you can call it inline:

  $.ajaxEx({
    url: __GLOBAL_SCOPE__.APIRoot + "/super/createccUser",
    method: "post",
    data: param,
    success: function (res) {
        if (res.code === 0) {
        $('#message #messageText').html('').append('<p>Create user success!</p>');
        userManagement.resetModal();
        $('#createUser').modal('hide');
        $('#message').modal();
        } else {
        $('#message #messageText').html('').append('<p>Error:' +document.createTextNode(res.msg)+ '</p>');
        $('#message').modal();
        console.error(res);
        }
    },
    error: function (err) {
        $('#message #messageText').html('').append('<p>Error:' + document.createTextNode(err) + '</p>');
        $('#message').modal();
        console.error(err);
    }
});

Why does it work? Well, according to Mozzila, it’s used to escape HTML elements. Creates a new Text node. This method can be used to escape HTML characters. It’s supported since Chrome/Safari/Firefox 1, IE 5 and Opera 7. Push that easy button!