ansaurus

Question

How can I make sure a string is clean for insertion into javascript Alert('error message')

Answer 1

+1 A:

You want to avoid XSS vulnerabilities, which is good. The following cheat sheet should assist you (and also contains a reference to code for escaping the string):

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Lucero 2010-06-24 09:21:43

Answer 2

A:

To escape a string for clean insertion into html you can use HttpUtility.HtmlEncode method. I'm not sure it this helps you with the javascript.

http://msdn.microsoft.com/en-us/library/73z22y6h.aspx

Hinek 2010-06-24 09:25:58

It's about JavaScript, not HTML...

Lucero 2010-06-24 09:28:18

I quote "that will format my string for clean insertion into html"

Hinek 2010-06-25 19:49:49

Answer 3

+3 A:

If you have a look at the AntiXSS module in the Web Protection Library, you'll find that it has a JavaScriptEncode(string) method for just this sort of thing.

PhilPursglove 2010-06-24 09:33:09

+1 for pointing into the right direction!

Lucero 2010-06-24 13:25:05

Answer 4

+1 A:

If you are using ASP.NET 4 you can use the new <%: %> syntax to HtmlEncode the generated string AND replace the default encoder with AntiXSS, or any other library you may prefer. Phil Haack explains how to do this in Using AntiXss as the default encoder for ASP.NET

This way you can write an alert like this:

alert('<%: this.ErrorMessage %>');

In previous versions you can use what others have suggested, either HtmlEncode or AntiXss like this:

alert('<%= HttpUtility.HtmlEncode(this.ErrorMessage) %>');

or

alert('<%= AntiXss.HtmlEncode(this.ErrorMessage) %>');

Panagiotis Kanavos 2010-06-24 09:54:41

Answer 5

A:

HttpUtility.HtmlEncode will not encode a single quote (') and is not suitable for encoding a string to be used as an alert message. Personally I do it like this:

public static string EscapeAlertMessage(string value)
{
    value = value.Replace("\\", "\\\\");
    value = value.Replace("'", "\\'");
    value = value.Replace("\"", "\\\"");
    return value;
}

If your message contains multiple lines, you can replace them by "\n" - e.g. if the lines are separated by Environment.NewLine:

value = value.Replace(Environment.NewLine, "\\n");

Or if you don't know what the separators are (\r\n, \n or \r only) you could use:

value = value.Replace("\r", "\\r");
value = value.Replace("\n", "\\n");

Joe 2010-06-24 10:52:47

This was fixed in ASP.NET 4.0. HtmlEncode now replaces ' with '

Panagiotis Kanavos 2010-06-24 12:29:35

`HtmlEncode` encodes string for use in HTML. To use string in JavaScript string literal, you must encode it as JavaScript string literal, not HTML.

el.pescado 2010-06-24 13:58:50

Answer 6

+1 A:

Thanks for the help but none of the answers presented gave me the complete solution.

Joe's answer was closest but it did not account for \r\n newline. I could not find a way to translate c# newline into a javascript equivalient.

public static string EscapeAlertMessage(string value)
{
  value = value.Replace("\\", "\\\\");
  value = value.Replace("'", "\\'");
  value = value.Replace("\"", "\\\"");
  value = value.Replace(Environment.NewLine, "--");

  return value;
}

2010-06-24 12:08:23

JavaScript's newline is just '\n'

Ryan Kinal 2010-06-24 12:15:56

That would be Replace(Environment.NewLine, "\\n");

Joe 2010-06-24 12:26:29

A string could contain any type of line break (\n, \r or \r\n) ... shouldn't it be a regex that replaces \r andor \n against a single \\n ?

Hinek 2010-06-25 20:00:38

Answer 7

+2 A:

There's a simple solution...use the DataContractJsonSerializer and "serialize" the string value. By serializing the string to JSON, you're by definition ensuring that it'll work nicely inside an alert statement.

jvenema 2010-06-24 12:33:50

ansaurus

tags:

views:

answers:

How can I make sure a string is clean for insertion into javascript Alert('error message')

related questions