-1

My input is as follows 

input = "hello <script>alert("I am stealing your data");</script>"

I want to remove the complete script tag from the string and the output should look like

output = "hello"

Tried following command but its not removing complete tag.

input.replace(/(<([^>]+)>)/ig, ''));

It gives result us 

"hello alert("I am stealing you data");"
Improve this question
6
  • @NinaScholz what is missing? It's a simple straight forward question Commented May 16, 2019 at 12:20
  • didn't dv. But if the non "hello" part is constant than you could use the following answer Commented May 16, 2019 at 12:22
  • @Dixel given that it's a script tag, I wouldn't assume it's constant. This appears to be aimed at sanitising arbitrary data. Commented May 16, 2019 at 12:23
  • Its not constant. Its the input we get from user. Kind of fixing XSS attack Commented May 16, 2019 at 12:23
  • Hmm ... If you're getting this string from your server, the attack has already took a place. Commented May 16, 2019 at 12:30

2 Answers 2

Reset to default
5

You should not use regular expressions for this. Instead use the DOM parser capabilities:

var input = 'hello <script\>alert("I am stealing your data");</script\>';

var span = document.createElement("span");
span.innerHTML = input; // This will not execute scripts
// Remove all script tags within this span element:
Array.from(span.querySelectorAll("script"), script => script.remove()); 
// Get the remaining HTML out of it
var scriptless = span.innerHTML;

console.log(scriptless);

Just note that it is a very bad idea to let the user pass arbitrary HTML to your application. Sanitising involves a lot more than just removing script tags.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

"Sanitising involves a lot more than just removing script tags." That depends how you want to sanitize your string. A simple two liner would sanitize an html string just fine. var replacements = { "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&apos;" }; str.replace(/[&<>"']/g, match => replacements[match]);
1

You do not need to use a regular expression, because those can be easy to trick and are not fit for parsing HTML content, especially not untrusted HTML content.

Instead, you can use a DOMParser to create a new document and use the DOM API to find and remove all script tags, then return the rest of the content:

function sanitise(input) {
  const parser = new DOMParser();
  const doc = parser.parseFromString(input, "text/html");
  
  //find all script tags
  const scripts = doc.getElementsByTagName('script');

  for (const script of scripts)
    script.remove(); //remove from the DOM
  
  return doc.body.textContent.trim();
}

//using the + because otherwise Stack Snippets breaks
console.log(sanitise("hello <script>alert('I am stealing your data');</scr"+"ipt>"))

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.