I think it is now somewhat disabled. you just need to refresh the page.

This is what I did for now

    msg.text =
        msg.text.replace('>','')
            .replace('<','')
            .replace(';','')
            .replace('/','')
            .replace('\\','')
            .replace('\'','')
            .replace('\"','')
            .replace(':"','')
            .replace('!important','');

I will think of a more clever solution next week :)

Here is how mustache.js[0] does it:

    var entityMap = {
        "&": "&",
        "<": "&lt;",
        ">": "&gt;",
        '"': '&quot;',
        "'": '&#39;',
        "/": '&#x2F;'
     };

      function escapeHtml(string) {
        return String(string).replace(/[&<>"'\/]/g, function (s) {
          return entityMap[s];
        });
      }

also document.createTextNode will tell the browser not to render the children as html, whereas appending a dom element and innerHTML will.[1] I'm just assuming that behavior is correct in all browsers though.

[0]https://github.com/janl/mustache.js/blob/master/mustache.js#...

[1]https://jsfiddle.net/1dsygwoj/

Thanks I added that on top of JsHtmlSanitizer.

Make your regexs global, i.e. .replace(/</g, "") (note the g at the end), otherwise only the first instance is replaced. I made it easy for you: https://github.com/idoco/map-chat/pull/1

That's super easy to get around. It only replaces the first occurrence of each.

You are right that was very silly of me. I got some real XSS filter instead.

I see an iframe on the page. Right now.

suddenly someone injected www.leekspin.com while I'm viewing the map.

that made me laugh

var div = document.createElement('div');

div.textContent = msg;

msg.text = div.innerHTML;

This should remove all HTML/CSS/Script.

This is a naive solution. Pull in some library.