Let’s say your web site has a comment feature. Users enter comments that are displayed for everyone else to read.
Suppose I enter a comment that contains an html script tag. If the application doesn’t properly escape this text, it can become incorporated into the body of the html document when the comment is displayed. This script will have the same permissions as a script written by the app developer, so that’s not good.
If you can completely exclude anything that even remotely resembles html or javascript code (or server-side code for that matter), that makes the job easy. That's what I would do for many kinds of forms.
There are lots of different ways to inject code into submitted content, so in the absence of that kind of very simple white-list approach (exclude anything that isn't listed as okay), the general problem can apparently be very hard to solve. If you need to support users saving markup/code in some way, then you should probably use a library (e.g. HtmlSanitizer) that sanitizes that kind of input before using it in any other way (like adding it to the dom or saving it to the server).
Let’s say your web site has a comment feature. Users enter comments that are displayed for everyone else to read.
Suppose I enter a comment that contains an html script tag. If the application doesn’t properly escape this text, it can become incorporated into the body of the html document when the comment is displayed. This script will have the same permissions as a script written by the app developer, so that’s not good.
If you can completely exclude anything that even remotely resembles html or javascript code (or server-side code for that matter), that makes the job easy. That's what I would do for many kinds of forms.
There are lots of different ways to inject code into submitted content, so in the absence of that kind of very simple white-list approach (exclude anything that isn't listed as okay), the general problem can apparently be very hard to solve. If you need to support users saving markup/code in some way, then you should probably use a library (e.g. HtmlSanitizer) that sanitizes that kind of input before using it in any other way (like adding it to the dom or saving it to the server).
That’s the basic idea, hope it helps!
PS: It looks as though React should escape stuff like that for you unless you use
dangerouslySetInnerHTML( reactjs.org/docs/dom-elements.html ), but there may still be some issues: medium.com/javascript-security/avo...