tags:

views:

194

answers:

1
Q: 

The way to check the javascript injections

Is it enough to avoid javascript injection validating input data in such way:

xssValidate = function(value) {
    var container = $("<u></u>").text(value);
    if($(container).html() != value) return mc.ERROR_INVALID_FORMAT;
}

I've managed to validate all the text fields and textareas values with the code above before submit them to server.

+5  A: 

I think that's going to be very annoying for your users... what if I want to type "this & that" or "11 > 7"?

What you should be doing really is escaping it when you output it.

Additionally, I hope you're validating on the server as well as the client side.

Greg  2009-07-09 11:05:50
I'd also like to add that the proper way of doing things is to accept whatever the user has input in the textbox, work with it in the same form, and encode it only as the very last step before actually rendering it out to HTML. Also, if you don't use parametrized queries (like you should be!) you will have to escape the string before concatenating it in a query to avoid SQL injections.
Vilx-  2009-07-09 11:08:47
+1 for usability and server security concerns.
Residuum  2009-07-09 11:09:27
I completely agree all that limitations are annoyed users and there is no 'silver bullet'. In my particular case I've decided to limit user's input by < symbol and it shouldn't be too much uncofortable for users of my application.
Alex Pavlov  2009-07-09 15:16:57

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript