jsp to display alert - javascript

How do i write a Jsp page which opens JSbox.
main vulnerabilities that apply to this eg.

I'm just going to worry about the cross-site-scripting problems caused by HTML and JS injection. CSRF doesn't seem to be an issue yet because just alerting “hello” doesn't have any active side-effects that you would have to be logged in to do.
The bonehead way of doing it:
<script type="text/javascript">
alert('Hello, <%= request.getParameter("name") %>');
</script>
This suffers from JS injection because there is no JS-escaping inside a JS string literal:
name=');execute_arbitrary_code();'
and also suffers HTML injection because the enclosing script block can be closed early:
name=</script><script>execute_arbitrary_code();//
Unfortunately there is no standard tag in JSP that will escape text in a JS string literal (that is itself in an HTML script block). You can write and use your own tag to do it, or reuse a library that defines one. For example OWASP ESAPI has:
<script type="text/javascript">
alert('Hello, <esapi:encodeForJavaScript>${param.name}</esapi:encodeForJavaScript>');
</script>
But it is often easier to avoid encoding into JS, and instead push data through the DOM. Because the DOM is plain HTML, you only need normal markup escaping, which JSP has natively in the <c:out> tag.
<input type="hidden" id="name-parameter" value="<c:out value="${param.name}"/>"/>
<script type="text/javascript">
var name = document.getElementById('name-parameter').value;
alert('Hello, '+name);
</script>
This aids in the long-term goal of keeping your JS separate from your markup and server-side code. data- attributes are another good way to pass data from markup to JS.

Related

Is there is a way to use <script> tag as you might use <%%> tag in asp or jsp?

To do something like that for example:
<script> for(var i=0; i<5; i+=1){ </script>
<h1>hello</h1>
<script> } </script>
If we used <%%> instead of <script> in aspx page it would print "hello" five times.
I just thought it would be really awesome if we can!
No. That approach is only used in back-end languages such as ASP and PHP. In those languages, the engine parses the source code for ASP or PHP instructions in order to produce its output.
When dealing with JavaScript in an HTML document (inside <script> tags), it is the HTML document which is first interpreted, and during that parsing, the JavaScript is identified and run. JavaScript does not initially generate HTML and is merely included in it.

javascript loaded from a path; how to use document.getelementbyid

`
function init() {
var a = 'output of my processing';
alert('I am here'); // alert pops up
document.getElementById("<%=hdnField.ClientID %>").value = a;
}
<head>
<script src="../Scripts/myscripts.js"></script>
</head>
<body onload="init()">
<asp:HiddenField ID="hdnField" runat="server" />
</body>
`I have a page with lot of javascript; I am trying to clean it up by moving the scripts to a script folder and reference the path; Seems to work fine, except when it encounters 'document.getelementbyid(controlname.id)'- it throws 'TypeError: Cannot read property 'value' of null'
I understand it is not able to find the control. Why does that happen? I thought the DOM is already built - what difference does moving the javascript to a path make to that anyway? Any ideas on how to make it work? I would really like javascript to be moved from the page.
You're using ASP.Net inline calls inside your JS. This couldn't work, for two reasons:
It's likely you don't have your server configured to handle .js files using the ASP.Net processor.
Even if you did, the processing of the .js would be completely separate to the hosting .aspx page; meaning hdnField would not be in scope.
You would be better off passing knowledge about the items on your page directly to the JavaScript:
JS:
function init(config) {
var a = 'output of my processing';
alert('I am here'); // alert pops up
document.getElementById(config.hdnFieldID).value = a;
}
ASPX:
<head>
<script src="../Scripts/myscripts.js"></script>
</head>
<body onload="init({ hdnFieldID: '<%= hdnField.ClientID %>' })">
<asp:HiddenField ID="hdnField" runat="server" />
</body>
Hope that helps.
This answer assumes your directory structure is correct.
Move your script tag to the bottom of the body, just before . Here is a good SO answer to this question, and here is another.
In addition, in general, it's bad practice to call a JavaScript function from inside HTML elements. If you're not using jQuery, you can add a "DOMContentLoaded" event listener to run the code. With jQuery, the standard $(document).ready() has been proven to work well. Or, if you simply put your script tag at the bottom of the , and place init(); at the end of your JS file, it will all run properly. This would be for a very simple application, but simplicity is sometimes the best.
Finally, for a sanity check, you could hard-code the ID in your init function. I don't know asp.net, but you might want to check the output of <%=hdnField.ClientID %>. Are you sure you're getting the correct ID?
Good luck.

How to put "</script>" in a javascript string?

I've been trying some tricks in javascript and came to a ridiculous problem: I can't use <script> as a substring in a javascript string! Here is an example:
<html>
<head>
<script>
alert("<script></script>");
</script>
</head>
</html>
It supposed to print out <script></script>, but instead, I get this:
");
Printed out on the page, as HTML.
Question: How can I use <script> followed by </script> substrings in Javascript, and why is it acting that way?
Here is JSFiddle of it.
What's tripping you up is the </script>. The HTML parser doesn't recognize Javascript strings or nested <script> tags, so it's interpreting that as the closing tag for the initial <script>. That is, this part of the document is parsed as:
<script> (open tag)
alert("<script> (text node - contents of the script)
</script> (close tag)
"); (text node - plain text)
The second </script> is ignored, as there's no other <script> tag for it to close.
To work around this, break up </script so that the HTML parser doesn't see it. For instance:
alert("<script><\/script>");
or:
alert("<script><" + "/script>");
or just put the code in an external Javascript file. This issue only arises for inline scripts.
it is because of the \ I believe. i have no concrete explanation since I am a newbie to Javascript but this code should work:
alert("<script><\/script>");
came up with it using Java knowledge.. Haha since the \ is an escape key in many languages.
Alert(\<script>\</script>\)

Change <body> ID with Javascript from within ContentPage

I'm looking to do a short term hack on a site. The site is a ASP.NET site with a master page. The body tag is in the master page. I'd like to specify which ID should be in the body tag from within various content pages. What I don't know is if you can have this type of access to the body tag when your JS is within the body tag. For various reasons, I'd like to try to accomplish this in JS, not .NET.
Any tips?
Rephrasing for clarity:
I would like to use JavaScript to specify a body ID from within the body tag of a site. For example:
<body id="MyID">
JS to change MyID to another name
</body>
Put this in the Page_Load of any ContentPage...
string JS = "document.body.id = 'WhateverID';";
ClientScript.RegisterStartupScript(this.GetType(), "BodyID", JS, true);

How to include Javascript in xml-document?

The task seems to be pretty easy: how to include a Javascript file in xml-document so that at least Opera and Firefox could actually parse it and execute the code?
Add a script stating XHTML namespace, it will run just fine.
<xhtml:script xmlns:xhtml="http://www.w3.org/1999/xhtml"
src="file.js"
type="application/javascript"/>
See also
http://www.ibm.com/developerworks/xml/library/x-ffox3/
If I get you, you want an XML document to run javascript when viewed in a browser?
This is not part of the XML standard, and as such will not be suppoted until it is (I assume this will never be supported because XML is not intended for display, but data). If you are talking about XHTML then this is a different matter.
--
Edit: just to clarify my answer.
XML was never intended to be a display markup like HTML, thats why XHTML was developed (HTML that conforms to XML standards). Browsers have been made to interpret XHTML in a certain way, but XML is simply raw data.
If you want your XML to run additions such as JavaScript you will want to consider using XSLT to transform your XML into XHTML and therefore take advantage of a browsers capabilities.
<script xmlns="http://www.w3.org/1999/xhtml"><![CDATA[
alert('Hello');
]]></script>
Or for external javascript:
<script xmlns="http://www.w3.org/1999/xhtml" src="external.js"></script>
Works in Firefox and Opera.
I did this:
XSLT:
<xsl:value-of select="/label[#id='MyScript']/text()" disable-output-escaping="yes"/>
XML:
<label id="MyScript"><![CDATA[
<script type="text/javascript">
alert("Hello world");
</script>
]]></label>
Embed the XML and the Javascript in an XHTML document and then use the vast and well-documented capabilities of dynamic HTML.
You'll get something up and running much faster than you will by reasoning that since some browsers implement weak and poorly-documented CSS styling of XML documents, therefore they must support the execution of Javascript embedded in XML, as though there were any connection whatsoever between those two ideas.
Similar to the above, but that could error because the <![CDATA[ and ]]> portions are not valid code. If you're putting it into an XSL script, you can just as well put a JS comment mark before these beginning and ending elements.
I also have used the xsl:text element to output the <![CDATA[ portion. This portion may be a bit of cheat, but it results in well-formed XML. An example from within an xsl:choose block might be...
...
<xsl:when test='name()="script"'>
<script>
<xsl:for-each select='#*'><xsl:copy-of select='.' /></xsl:for-each>
<xsl:text disable-output-escaping='yes'>
// <![CDATA[
</xsl:text>
<xsl:copy-of select='./text()' />
<xsl:text disable-output-escaping='yes'>
//]]>
</xsl:text>
</script>
</xsl:when>
...
Walking through the pieces...
Detect a <script> element.
Replicate <script> tag for the output.
Be sure to preserve the tag attributes in the output with a quick xsl:for-each line.
Output the non-escaped text: // <![CDATA[. The // renders the rest of the line as a comment and thus prevents a JS error.
Copy the text contents of the <script> tag. NOTE: You must preseve the new-line (either as above or some other way) so that the commented out line before it does not end up on the same line as this one. Obviously, if it does, it will comment out this line as well. Preserving the one after is not essential, but is keeps the aesthetics of the two matching CDATA tags.
Output the non-escaped text: // ]]>. This ends the CDATA block, and again, the CDATA marking is ignored by the browser when reading the JS.
Close the block with a </script> tag, of course.
And, if you're using it in a xsl:choose block, close then xsl:when.
Only steps 2, 3, 5, & 7 actually copy the script block. The rest is busywork to make it work.
Transforming a block such as...
...
<script type='javascript'>alert('Hello World!');</script>
...
Then becomes,
...
<script type='javascript'>
// <![CDATA[
alert('Hello World!');
// ]]>
</script>
Effectively preserved, and readable both by XML as well as a browser.
A function that should help you is the eval() function. This function will evaluate any string you pass to it as Javascript.
Also, it's possible to parse XML in Javascript. Just google "javascript xml parser".
Combine these two ideas, and you'll be on your way.
If you simply want to put javascript in the XML file:
<xml>
<js script="1">
here is some javascript;
here is more javascript;
</js>
<js script="2">
here is even more javascript;
jere is even more javascript;
</js>
</xml>

Categories