'Jquery replacement for .html() function that won't try to rewrite the html on Redactor imperavi - Xss vulnerability
This is treated as a XSS vulnerability issue. I'm using the redactor component from Imperavi, and it seems like it can't generate the right output value when the Html is not valid.
The problem is when we insert strings like this:
<<SCRIPT a=2>qssQ5GkdwWU=7;//<</SCRIPT>
The redactor removes the script tags and generates this string. This is expected because of XSS attacks.
<qssQ5GkdwWU=7;//<
The problem happens then the redactor tries to set the previous value to the redactor element using html.(html). It will think that there is an element and will output this:
<qssq5gkdwwu=7;> </qssq5gkdwwu=7;>
How can I set the value to the element but preventing this behavior?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|