Node、Express 和 MongoDB 中的 HTML 注入。 （EJS 模板引擎）

Question

I am new to web development. I know very little about security. I have made a forum in which users can choose to converse anonymously. So am not registering or asking users to login.

I have a huge flaw in my application.The moment someone types HTML/CSS/JS into my input field, the changes get rendered onto the actual website. I have been brainstorming over this but am unable to find a solution to this problem.

How can I detect whether a user is typing in HTML or CSS and how can I overcome this malpractice of the user. As the typed in content is saved into the database, it is rendered every time. Please help guys! Let the solutions pour in.

Thank you in advance.

Answer 1

EJS already have built-in mechanism to protect against HTML injection. The <%= tag escapes HTML. For example:

<% var x = '<div>HTML Injection!</div>' %>
<%= x %>

Will render something similar to:

<HTML Injection!>

So the output should be safe even though it will look like someone is typing code.

The only way HTML injection can work in EJS is if you deliberately allow it by using <%- instead of <%= or by redefining the escape option.

If you really need to use <%- then EJS will stop protecting you from HTML injection and assume you know what you are doing. In which case avoiding HTML injection becomes your responsibility. You can manually do what EJS does for you by replacing < with < and > with > or by deleting HTML tags completely from user input:

const some_input = req.query.some_data;

escaped_html_input = some_input.replace(/</g, '&lt;').replace(/>/g, '&gt;');

deleted_html_input = some_input.replace(/<.+?>/g, '');

save(escaped_html_input);

// or save(deleted_html_input);