Hacker News new | past | comments | ask | show | jobs | submit login

How can I fix this?



You can try escaping HTML submitted from the form. Or even simply detecting the presence of any HTML tag and rejecting such submissiobs with a friendly error message.


ah yes! i will do this in the next version. someone recomended leaving some of the xss elements like the image and video function with the old school chat vibes but I'm not sure what to do lmaooo


Old school chats and forums dealt with that with special limited markup language for formatting and embedding images or other special elements like youtube videos. Everything outside the limited markup options was treated as text with the replacement of < and > to HTML entities &lt; and &gt; meant to display HTML special characters in text. It was called BBcode, if I recall correctly. It looked something like that:

[b]bold[/b] [i]italic[/i] [img]example.com/image.jpg[/img] [youtube]youtube.com/watch?v=someVideo[/youtube]


I like to use a small utility function like this and pass user input through it.

  function asTextContent(input) {
    const tempElement = document.createElement('span');
    tempElement.textContent = input;
    return tempElement.innerHTML;
  }
It will let the browser handle the escaping.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: