tags:

views:

154

answers:

1
+1  Q: 

Cross-site scripting in Classic ASP when writing javascript

In a server-side Classic ASP file, let's say you receive a Request string containing malicious javascript like, "alert('HACKED');"

DIM foo : foo = Request.Form("foo"); 'Contains malicious javascript

and then later we're writing javascript to screen containing that value.

%>
<script type="text/javascript">
   // some code
   <%=foo %>
   // some more code
</script>
<%

What do we do here keep ourselves safe against this form of cross-site scripting?

+1  A: 

Always remember: "Filter your input, and escape your output"

You filter data for safe storage in a database (to prevent SQL Injection), and you escape data before presenting it to the user (to prevent XSS)

Try ASP's HTMLEncode() method.

sigint  2010-07-21 20:30:51
But HTMLEncode() leaves the string "alert('HACKED');" unaffected?
twh  2010-07-21 20:53:02
The user will see (as literal text on the page) `alert("HACKED");` but the actual HTML will be rendered as `alert("HACKED");`. No javascript `alert()` box will appear.
sigint  2010-07-21 21:03:06
Single quotes do not get encoded by HTMLEncode(), and neither do the parenthesis or the semi colon. HTMLEncode() works well for HTML, and I use it all over, but in this case I'm outputting javascript not HTML.
twh  2010-07-21 21:38:44
Well that's a tough one. It would be next to impossible to determine what particular code constitutes "malicious". Can I ask why you're having your users supply you with JavaScript in the first place? Are you doing something like this: http://www.w3schools.com/JS/tryit.asp?filename=tryjs_text
sigint  2010-07-22 14:15:50

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript