how to prevent cross-site scripting in an InfoPath form

Question

There are InfoPath forms implemented in several areas of our site to submit requests. An example is a Request form where a user can ask a question to a staff member who can reply to the message as well.

There is the possibility that someone can enter in JavaScript in one of the InfoPath controls (subject or message body) and submit data through the InfoPath form. The JavaScript code then fires on the staff side with that page getting the alert Message. I've researched a lot but haven't found a definitive answer.

Is there any direct way to restrict/prevent XSS for this type of validation? Any suggestions would be helpful.

Thanks in Advance!

Answer 1

You can encode the text, for example,

var titleValue = '<'+'script type="text/javascript">alert(123);<'+'script>',
            encodedValue = [],
            c;
        for (var i = 0;i < titleValue.length;i ++) {
            c = titleValue.charAt(i);
            if (c == '<')
                encodedValue.push('&lt;');
            else if (c == '>')
                encodedValue.push('&gt;');
            else if (c == '&')
                encodedValue.push('&amp;');
            else if (c == '"')
                encodedValue.push('&quot;');
            else
                encodedValue.push(c);
        }
        alert('encoded value is: ' + encodedValue.join(''));

Regards,

ben

Answer 2

if your staff's HTML is generated via Javascript, then you can use innerText to avoid any HTML markup interpretation:

document.getElementById('text').innerText = untrustedOutput;

if it's server side, you can look at benban123's answer and adapt it to your langague. In php, I'd use:

htmlentities( $text );

(see : http://www.php.net/manual/en/function.htmlentities.php ). but i'm not sure of its effectiveness, XSS are numerous.

EDIT: If your text is only meant to be displayed via the javascript function alert(msg) , I think you're safe as the won't be interpreted (maybe apart from the newline escaped characters /n).