Given some JavaScript which modifies the page's title by taking in variable data
document.title = someVariable
I am looking to address dom based XSS while keeping the title fairly readable. Therefore, doing something like escape() or encodeURI() will not work.
I do not necessarily have control over how the document.title may be used in other scripts, so I want to ensure that I do some sanitization in the least destruction matter, but avoid possible scenarios where the way the variable is later processed could possibly be decoded in such a way it latter becomes XSS.
My first thoughts were something like this:
someVariable = someVariable.replace('<script', 'noscript');
someVariable = someVariable.replace(/[<>'"]/g, '').replace(/%3[CEce]/, '');
document.title = someVariable;
Which is minimally destructive from a readability standpoint, removing these characters could potentially break the later code, but I would rather break code in favor of security.
I feel like I am rolling my own here, so I would like to know if there is better approach that will meet the readability requirements. If not, are there any other filters or sanitization recommended?
Aucun commentaire:
Enregistrer un commentaire