Profile Field Sanitisation

Easy+50 XPA03:2021 InjectionCWE-79

XSSSanitisationProfile

Scenario

Your application displays user profile fields (bio, display name, etc.) in HTML pages viewed by other users.

The current sanitiseProfileField function strips only the literal string <script>, leaving uppercase variants like <SCRIPT> and event-handler tags like <img onerror=...> completely unhandled.

A stored XSS payload in a profile bio can execute JavaScript in every visitor's browser, enabling session hijacking and credential theft.

Stored XSS in profile fields is one of the most dangerous vulnerability classes because the payload fires for every user who views the profile, multiplying impact across the entire user base.

Your Tasks

Replace the blocklist approach in sanitiseProfileField with proper HTML entity encoding.
Encode all five dangerous characters: & → &, < → <, > → >, " → ", ' → '.
Return the encoded string — do not throw.

Examples

Example 1 — Uppercase script bypass (bug)

sanitiseProfileField('<SCRIPT>alert(1)</SCRIPT>')
// returns '<SCRIPT>alert(1)</SCRIPT>' — not blocked!

Example 2 — Safely encoded (fix)

sanitiseProfileField('<SCRIPT>alert(1)</SCRIPT>')
// returns '&lt;SCRIPT&gt;alert(1)&lt;/SCRIPT&gt;'

Constraints

›Escape & first to prevent double-escaping.
›Do not use tag-stripping or regex-based HTML removal — encode everything.
›Empty string must be returned unchanged.

Hint

References

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html https://owasp.org/www-project-top-ten/2021/A03_2021-Injection https://portswigger.net/web-security/cross-site-scripting/stored

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run