How to encode a value that is rendered to page and finally used in URL?

Question

I have a script that is rendered to an html page as a part of a tracking solution (etracker).

It is something like this:

<script>
var et_cart= 'nice shoes,10.0,100045;nice jacket,20.00,29887';
</script>

This will be transmitted to the server of the tracking solution by some javascript that I don't control. It will end up as 2 items. The items are separated by a semicolon in the source (after '100045').

I obviously need to Html-encode and Javascript-encode the values that will be rendered. I first Html-encode and after that remove single quotes.

This works, but I have an issue with special characters in french and german e.g. umlaut (ü, ä...). They render something like {. The output of the script when using lars ümlaut as the article is:

<script>
var et_cart= 'lars &#123;mlaut,10.0,100045;nice jacket,20.00,29887';
</script>

The semicolon is evaluated as an item separator by the tracking solution.

The support of the tracking solution told me to url-encode the values. Can this work? I guess URL-encoding doesn't stop any xss-atacks. Is it ok to first url-encode and html-encode, then javascript-encode after it?

Answer 1

The values only need to be URL encoded to transmit to the client. If the information is being displayed by the client it's their responsibility to ensure they are protecting themselves against xss attacks, not yours.

<script>
var et_cart= 'lars+%FCmlaut%2C10.0%2C100045%3Bnice+jacket%2C20.00%2C29887';
</script>