How can I properly protect against malicious input with javascript?

Question

How can I properly protect against malicious input with javascript?

I have a chat client that I have built using node.js, and I was wondering what I should do to input messages before sending the to the server?

javascript
node.js

Answer 1

Nothing. You can't stop the client sending 'bad' stuff. Validation and cleaning should be done on the server. You should clean/filter/encode it when displaying it to the client.

Maybe (client side):

socket.on('message', function(e) {
  txt = e.data;

  // HTML encode
  txt = txt.replace(/&/g, '&amp;');
  txt = txt.replace(/</g, '&lt;');
  txt = txt.replace(/>/g, '&gt;');

  // Or strip tags
  txt = txt.replace(/<[^>]+>/g, '');

  // Or create a text node
  node = document.createTextNode(txt);
});

You should read this on HTML encoding/escaping.

Answer 2

you don't really need to do anything before sending it to the server, as far as filtering..you should do filtering/validation server-side. If you did it client-side people can easily sidestep it.