In my rails app, I'm adding text dynamically to the page using something like this
$('.container').append('<div class="test"><%=description%></div>')
The issue is that sometimes the ruby variable "description" contains single quotes (for example, it might container the word "I'm"), which leads to errors when the page tries to render the text.
What's the best way to avoid this problem by escaping quotes in description?
Checkout Rails' JavaScript Helper, in particular escape_javascript(javascript)
Escapes carriage returns and single and double quotes for JavaScript
segments.
Also available through the alias j(). This is particularly helpful in
JavaScript responses, like:
$('some_element').replaceWith('<%=j render 'some/element_template'
%>');
Related
In a Freemarker template on a page with Angular, I have the following:
...
ng-init="somevariable = ${(model.usercontrolledstring)}"
...
I want to make sure this is hardened against XSS, so I've set up some escaping rules. However, the following value for model.usercontrolledstring causes JavaScript to execute:
abc'+constructor.constructor('alert(1)')()+'abc
The surprising thing is that when the client receives it, it arrives thusly:
ng-init="somevariable = 'abc'+constructor.constructor('alert(1)')()+'abc'"
So it looks like it's being escaped correctly, but Angular is still deciding to run it!
So I guess my questions would be:
What am I not understanding about Angular? (In particular, its decision to run after decoding html entities)
Is there a proper way of configuring a Freemarker Template to prevent this sort of XSS?
I believe you should use somevariable = '${model.usercontrolledstring?jsString}' there.
Also, if that thing goes into a <script> block, certainly you shouldn't apply HTML escaping there. It's not decoded by the browser inside <script>, so you end up with string values that literally contain '. Unless the string meant to contain HTML as opposed to plain text, that's wrong.
I don't have to HTML encode the string. I was trying various solutions, but the problem is still, how do you handle the semicolon entered by the user if you need to do a JS str.indexOf(";"); later on.
I’m using System.Net.WebUtility.HtmlEncode(test); encode my string,which adds semicolons (as you would expect for html encoding).
Later down the process this string gets utilized to create JavaScript commands that end with ';'. These commands are separated by doing a str.indexOf(";");
My issue is that the user is allowed to enter semi-colon in the field,which breaks the aforementioned indexof(";"), which I use to dynamically create the JavaScript commands.
How can I support users entering in semicolons into a string if I need to do a JS indexof(";") to separate the JS commands?
I tried in the C# side doing a
string myString = System.Net.WebUtility.HtmlEncode(test);
but that just makes the situation worse by adding even more semicolons as you would expect for HTML enconding.
The solution I came up with was to do a replace on the the C# side. In C# I do a .Replace of all % and (other problematic characters) with their URL encoded string versions before the JavaScript command ending ";" gets inserted(i.e. myString.Replace(";","%3B").Replace("=","%3D");).
Once it hits the JavaScript side I do the complete opposite, thus leaving my JS semicolons intact.
The aforementioned solution allowed me to distinguish between a user inserted semicolon and one entered in programmatically.
I have the following link being created dynamically in a legacy .asp application.
<a href='javascript:OpenIncompleteProposal(<%=iProposalID%>, <%=Server.UrlEncode(Session("Security_UserFullName"))%>)'><%=sClientName%></a>
When this renders it renders with no quotes around either parameter, i want the second parameter surrounded by single quotes. i know it should be easy but escaping the strings and wrapping the globalsession variable is causing me some trouble.
In my Ruby on Rails app this controller responds with Javscript render. For certain 'labels' I need to replace spaces with a newline character \n. There are two ways to do this:
1) Replace the white spaces in db itself and just fetch and serve it in the front end.
This makes "North America" to "North\nAmerica"
2) Replace it in the application code
label = label.gsub(" ","\n")
The second one breaks the javascript code. I looked at the request using firebug and the second one breaks the word, the newline character is actually interpreted as compared to the first implementation where it appears as plain text.
Context:
The action renders a .js file as it's response to an ajax call. The js file calls Morris.js functions to implement analytics. See this question here too: svg-text-disappears-on-larger-label
It seems that you are having problem with javascript escaping in your code.
If you are using remote request than you may use escape_javascript and in case you are using the script in html then you must escape it the way we normally do it using '\'
I have recently started writing some scripts for Google Spreadsheets. I have no experience with Javascript though and I have question that is concerning a (as I suppose) basic issue.
I would like my script to insert data shown below into a cell in a sheet. How should I encode it to make it work?
komorkaLinku.setValue("=HYPERLINK("http://www.some.link/some/data"+variable+"something","something")");
I had tried several ways but none of them worked.
You are trying to include quotes inside quoted text. There are a couple of ways to do that.
Use single quotes inside double quotes, or vice-versa.
komorkaLinku.setValue('=HYPERLINK("http://www.some.link/some/data'+variable+'"something","something")');
Use escaped single quotes.
komorkaLinku.setValue('=HYPERLINK(\'http://www.some.link/some/data'+variable+'\'something\',\'something\')');
As #ScampMichael comments, it would be a better choice to use setFormula() in this case. You would still need to handle embedded quotes properly.