Like Victor said, the <pre>
doesn’t prevent this, maybe you’re thinking that this tag converts the content to entities, but maybe it’s just a mess.
I personally allow the exact recording of what was "written", but at the time of reading I use methods similar to the htmlspecialchars
, thus avoids conflicts, as the texts have not changed in the recording.
If your concern is to read the data from a database and print on the screen, you can use at the time of reading the data from the line:
import org.apache.commons.lang.StringEscapeUtils;
...
String data = StringEscapeUtils.escapeHtml("<script>alert(1);</script>");
I don’t know how your code is, and which framework you use, but I believe the meaning is always this, "escape" the content at the time of displaying (correct me if I’m wrong).
Documentation: Stringescapeutils (Commons Lang 2.6 API)
Face, without thinking too much I already say that the tag
<pre>
does not solve without some other kind of more complex treatment together, in which case the hacker would start HTML injected with</pre>
and end it with<pre>
.– Victor Stafusa
Yeap. I saw an implementation on Whatsapp Web in which it uses the tag
<pre>
together with<span>
– Avelino
To read while no reply appears.
– Renan Gomes