0

So i'm developing a socket.io real-time web-app. The first concern of mine was "What if some evil-minded user tries to inject some code via Dev Tools or Firebug?" and i've got my answer here on SO. My next concern is: "What if some evil-minded user tries to inject some code via chat and/or other form of string inputs?" and I've came to the conclusion that I can't figure this out by myself. I know that I can use regex to find if the user is trying to inject code but once the code is sent to server and stored to a string it is executed. (ex: var data = " *asd "; while(1);* "; [ where the user sent string is the one between * ] ). So my question is: How can i prevent this? in other words How do I sanitize the user input?

Romeo
  • 376
  • 1
  • 3
  • 14
  • you have to treat all user input as string – Ibu Mar 22 '13 at 18:31
  • What do you mean by that? I do treat all user input as string.. Sorry, i seem not to understand what you imply. – Romeo Mar 22 '13 at 18:32
  • if the input is always treated as string, the user enter `while(1);` all that is going to happen is the other user in the chat will see `while(1);` – Ibu Mar 22 '13 at 18:37
  • Yeah i know that. But isn't this the same problem as in XSS? If he enters " doesn't he end the string? I'm very confused as how this is treated by the server. – Romeo Mar 22 '13 at 18:39
  • if he enters you can encode your string using `encodeURIComponent()` – Ibu Mar 22 '13 at 18:45
  • If i do this in the client could he tamper it? – Romeo Mar 22 '13 at 18:47
  • 1
    you can do it in Node – Ibu Mar 22 '13 at 18:50

1 Answers1

2

You can encode the user input using encodeURIComponent(userstring);

Example:

var userData = encodeURIComponent(" *asd "; while(1);* ");
Ibu
  • 42,752
  • 13
  • 76
  • 103