$("#id").append(dataHtml);
when injected with <script>alert('test)</script> an alert box appears on the screen showing test.I encoded the html but then it appeared as plain text.
I get the value of dataHtml from database.Because of some reasons I have to do this all on the client side using javascript/jquery.
How do i ignore such tags/injection while maintaing the html?
you could just use a simple regular expression to remove all script tags:
dataHtml = dataHtml.replace(/<script.*>[\s\S]*.*[\s\S]*<\/script>/g,"");
some explanation:
.* : all characters except linebreaks (* times) [\s\S]* : linebreaksto test if everything matches as expected you can use an online tool with an example of your dataHtml value (http://www.regexr.com/ for example).
Append the script element with the type attribute set to something other than text/javascript, i.e. like this:
<script type="text/template">alert('test');</script>
This script tag will not be parsed or run as javascript.
