I have the following link being created dynamically in a legacy .asp application.
<a href='javascript:OpenIncompleteProposal(<%=iProposalID%>, <%=Server.UrlEncode(Session("Security_UserFullName"))%>)'><%=sClientName%></a>
When this renders it renders with no quotes around either parameter, i want the second parameter surrounded by single quotes. i know it should be easy but escaping the strings and wrapping the globalsession variable is causing me some trouble.
Related
In a Freemarker template on a page with Angular, I have the following:
...
ng-init="somevariable = ${(model.usercontrolledstring)}"
...
I want to make sure this is hardened against XSS, so I've set up some escaping rules. However, the following value for model.usercontrolledstring causes JavaScript to execute:
abc'+constructor.constructor('alert(1)')()+'abc
The surprising thing is that when the client receives it, it arrives thusly:
ng-init="somevariable = 'abc'+constructor.constructor('alert(1)')()+'abc'"
So it looks like it's being escaped correctly, but Angular is still deciding to run it!
So I guess my questions would be:
What am I not understanding about Angular? (In particular, its decision to run after decoding html entities)
Is there a proper way of configuring a Freemarker Template to prevent this sort of XSS?
I believe you should use somevariable = '${model.usercontrolledstring?jsString}' there.
Also, if that thing goes into a <script> block, certainly you shouldn't apply HTML escaping there. It's not decoded by the browser inside <script>, so you end up with string values that literally contain '. Unless the string meant to contain HTML as opposed to plain text, that's wrong.
I am trying to pass a few variables from my php to the javascript and its working fine except for when I add a particular variable to the function call. There are 3 variables being passed all of which are related to a youtube video. the ID is being retrieved from a database, and the other two (title and description) are being retrieved using the ID from the youtube api.
<a href="#" class="list-group-item" id="{{$vidID[$i]}}" onclick="updateVid('{{$vidID[$i]}}', '{{$title[$i]}}', '{{$desc[$i]}}test')">
I am using hogan templating so the {{}} is the same as php tags with an echo. The problem only seems to occur when I add in the description variable to the call. Without it, the other two work perfectly fine. After doing some research it seems this is caused by an invisible character but I retyped my code to make sure and my code wasn't the problem. The developer console shows that problem is occurring on the last line of the description variable so it seems that the description is being retrieved with an invisible character from the api. I am just trying to do a simple alert with the description in the js function. How can I get rid of this character?
Without seeing the actual values, the most obvious problem would be that characters in your content are breaking the html and / or the javascript function call.
Echoing variables directly in html like that is a bit tricky as you need to escape for the javascript but also for the html. In this case you can probably use:
... '{{htmlspecialchars(json_encode($desc[$i]), ENT_QUOTES)}}test' ...
The json_encode call will probably get you an extra pair of double quotes around the string.
However, note that the best way to get your variables to javascript is to do that directly in a script block - without html in the middle - using json_encode in php. Then you can be sure any data can be passed without problems and you can decode it in javascript to get your structure back (in case of arrays and objects).
In my rails app, I'm adding text dynamically to the page using something like this
$('.container').append('<div class="test"><%=description%></div>')
The issue is that sometimes the ruby variable "description" contains single quotes (for example, it might container the word "I'm"), which leads to errors when the page tries to render the text.
What's the best way to avoid this problem by escaping quotes in description?
Checkout Rails' JavaScript Helper, in particular escape_javascript(javascript)
Escapes carriage returns and single and double quotes for JavaScript
segments.
Also available through the alias j(). This is particularly helpful in
JavaScript responses, like:
$('some_element').replaceWith('<%=j render 'some/element_template'
%>');
I have recently started writing some scripts for Google Spreadsheets. I have no experience with Javascript though and I have question that is concerning a (as I suppose) basic issue.
I would like my script to insert data shown below into a cell in a sheet. How should I encode it to make it work?
komorkaLinku.setValue("=HYPERLINK("http://www.some.link/some/data"+variable+"something","something")");
I had tried several ways but none of them worked.
You are trying to include quotes inside quoted text. There are a couple of ways to do that.
Use single quotes inside double quotes, or vice-versa.
komorkaLinku.setValue('=HYPERLINK("http://www.some.link/some/data'+variable+'"something","something")');
Use escaped single quotes.
komorkaLinku.setValue('=HYPERLINK(\'http://www.some.link/some/data'+variable+'\'something\',\'something\')');
As #ScampMichael comments, it would be a better choice to use setFormula() in this case. You would still need to handle embedded quotes properly.
I'm using a json object to store different bits of content, one of which can contain javascript & html relevant content (like quotes, semicolons, tags etc) which without encoding can break the page. To work around this I'm using:
"content":"<%=StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeJavaScript(content))%>"
(I'm using JSP as server-side technology and this is a bit of the JSON generated inline when the page is loading)
This works fine to escape any character that might break the page, but I now need to get the content from this variable to a textarea.
$('textarea').val(obj.content);
What I'm trying to avoid is the double-encoding that happens at this point:
the original content is: <script>alert("hello world");</script>
the content variable holds: <script>alert("hello world");</script>
the text in the textarea reads: <script>alert("hello world");</script> when it should read <script>alert("hello world");</script>
Any way of making this work?
How about $('textarea').html(obj.content); ?
In my tests, using the html function instead of val does the HTML entity decoding for you.
Just put it in unescape. I mean $('textarea').val(unescape(obj.content));
Would you be able to use StringEscapeUtils.escapeJavaScript instead? If the JSON is in a <script> block that should be sufficient to avoid breaking the page and no decoding will be necessary.