In fact, it is possible to disable execution by changing "type" attribute:
<script type="text/javascript">
alert("I will alert you");
</script>
<script type="application/json">
alert("And I will keep silent");
</script>
<script>
alert("I will alert too");
</script>
Can't be done... A script tag evaluates as soon as the DOM renderer renders it, so getting a handle on it after wards won't do much.
You can disable a script element. There are a couple of ways:
You can specify a different script type as other have listed. Heres the one that worked for me:
//loop through all script tags on page
$('script').each(function(){
var scripthtml = $(this).html();
$(this).replaceWith('<script type="text/gzip">' + scripthtml + '</script>');
});
All of the official script types can all be found here: iana.org
The second way is just a simple if statement:
//loop through all script tags on page
$('script').each(function(){
var scripthtml = $(this).html();
$(this).replaceWith('<script>if (1==0){' + scripthtml + '}</script>');
});
The if statement will always be false, so anything inside the script tag won't execute. However all of your functions() inside the script tag will all be valid.
Heres the javascript equivalent of replaceWith:
//get script and html
var yourscripttag = document.getElementById('yourscripttagID');
var scripthtml = 'if (1==0){' + yourscripttag.innerHTML + '}';
//remove script
yourscripttag.remove();
//create new script element
var newscript=document.createElement('script');
newscript.type='text/javascript';
//insert html in new script tag
newscript.appendChild(document.createTextNode(scripthtml));
//insert new script tag into head
document.getElementsByTagName('head').item(0).appendChild(newscript);
As I understand you are getting some HTML code from the Database and add it to the page. If so, You can write a Server Side function that will add a HTML Notes around the scripts using a simple Regex and after that the user saving the changes you will need to remove the notes.
You can do it also in Javascript if you have the HTML string that you like to add before you add it to the Dom.
Removing all the events on DOM nodes will prevent most of the JavaScript from executing (here for document):
for (key in getEventListeners(document)) {
getEventListeners(document)[key].forEach(function(c) {
c.remove()
})
}
You can hack it. Use another script to do a....
node.parentNode.replaceChild(
document.createComment(node.outerHTML.slice(1,-1)
.replace(/--/g, '\\-\\-')), node);
Where node is your script node/element. The replacing of double dashes is to prevent the browser complaining about an uncompliant comment tag.
Then if you want to enable it just do the reverse comment.replace and enclose with < and >. But you probably need to keep track of the modified script node, because after it becomes a comment it is less query-able.
Inline Java is a security risk. But this can be mitigated using a simple solution.
Simply replace any instance of with something like <script&rt; so it does not render as a tag, but will output in HTML appearing as if it was a tag.
input.replace("<script>", "<script>")
.replace("</script>", "</script>")
This will work if your use case is something like:
If you want to disable inline script such as
<script> alert("Hello"); </script>
