Is it necessary to "escape" character "<" and ">" for javascript string?

Posted by Morgan Cheng on Stack Overflow See other posts from Stack Overflow or by Morgan Cheng
Published on 2009-04-23T01:27:41Z Indexed on 2010/03/30 21:53 UTC
Read the original article Hit count: 292

Filed under:

JavaScript

|

encode

|

xss

|

html

Sometimes, server side will generate strings to be embedded in inline JavaScript code. For example, if "UserName" should be generated by ASP.NET. Then it looks like.

<script>
   var username = "<%UserName%>";
</script>

This is not safe, because a user can have his/her name to be

</script><script>alert('bug')</script></script>

It is XSS vulnerability.

So, basically, the code should be:

<script>
   var username = "<% JavascriptEncode(UserName)%>";
</script>

What JavascriptEncode does is to add charater "\" before "/" and "'" and """. So, the output html is like. var username = "<\/script>alert(\'bug\')<\/script><\/script>";

Browser will not interpret "<\/script>" as end of script block. So, XSS in avoided.

However, there are still "<" and ">" there. It is suggested to escape these two characters as well. First of all, I don't believe it is a good idea to change "<" to "<" and ">" to ">" here. And, I'm not sure changing "<" to "\<" and ">" to "\>" is recognizable to all browsers. It seems it is not necessary to do further encoding for "<" and ">".

Is there any suggestion on this?

Thanks.

© Stack Overflow or respective owner

Related posts about JavaScript

CHAT ROOMs 7 by 6

as seen on Stack Overflow - Search for 'Stack Overflow'
I am looking for chatroom on one page with 7 loggedin users and 6+rows for say 42 users.these users will keep on adding wthnew users.Need urgent help.A PRETTY UNUSUAL Q FOR MOST OF U.What is MORE REQ new features: Usernames are unique to users currently chatting You can see a "currently chatting"… >>> More
Integrating JavaScript Unit Tests with Visual Studio

as seen on Stephen Walter - Search for 'Stephen Walter'
Modern ASP.NET web applications take full advantage of client-side JavaScript to provide better interactivity and responsiveness. If you are building an ASP.NET application in the right way, you quickly end up with lots and lots of JavaScript code. When writing server code, you should be writing… >>> More
Has Javascript developed beyond what it was originally designed to do?

as seen on Programmers - Search for 'Programmers'
I've been talking with a friend about the purpose of Javascript, when and how it should be used, etc. He quoted that: JavaScript was designed to add interactivity to HTML pages [...] JavaScript gives HTML designers a programming tool HTML authors are normally not programmers… >>> More
PHP, javascript, single quote problems with IE when passing variable from ajax post to javascript fu

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi! I have been trying to get this to work for a while, and I suspect there's an easy solution that I just can't find. My head feels like jelly and I would really appreciate any help. My main page.php makes a .post() to backend.php and fetches a list of cities which it echoes in the form of: <li… >>> More
Javascript in XSL that is loaded by Javascript

as seen on Stack Overflow - Search for 'Stack Overflow'
Is there anyway to have javascript run when a XSL sheet has been applied to an XML file by Javascript? I am using a JQuery plugin to apply the sheet to the xml but the javascript that is located inside of the XSL file will not run. I put the Javascript at the bottom of the file and it still does… >>> More

Related posts about encode

URI encode and HTML encode

as seen on Stack Overflow - Search for 'Stack Overflow'
If I have the xml/html data to post we need to encode the data to avoid the XSS validation. So should we use HTMLencode or URI encoding for this. If URI encoding is used will it cause issues as form POST automatically URI encode all the data before sending. >>> More
Unable to encode to iso-8859-1 encoding for some chars using Perl Encode module

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a HTML string in ISO-8859-1 encoding. I need to pass this string to HTML:Entities::decode_entities() for converting some of the HTML ASCII codes to respective chars. To so i am using a module HTML::Parser::Entities 3.65 but after decode_entities() operation my whole string changes to utf-8… >>> More
line break within Html.Encode & String.Join

as seen on Stack Overflow - Search for 'Stack Overflow'
I have the following line of code. <%= Html.Encode(string.Join(", ", item.company1.companies.Select(x => x.company_name).ToArray())) %> Would it be possible to somehow replace the comma with a line break? >>> More
OS X: Base64 encode via command line

as seen on Super User - Search for 'Super User'
Is there a terminal command in Mac OS X which will base64 encode a file or stdin? >>> More
Java Speech Example: Encode, Stream, Decode, Play

as seen on Stack Overflow - Search for 'Stack Overflow'
I have been trying to find an example of this that I could use for a couple years, I'm ashamed to admit. I would like to see a working, compileable example (most that I find online don't compile or don't actually work) of reading from the microphone, encoding the voice data in a speech-friendly encoding… >>> More