tags:

views:

140

answers:

2
+1  Q: 

Escaping a double-quote in inline c# script within javascript

I need to escape a double quote in inline c# within javascript. Code is below:

if ("<%= TempData["Message"]%>" == "") {
    // code
};

Normally, I would just use single quotes like so:

if ('<%= TempData["Message"]%>' == "") {
    // code
};

However, TempData["Message"] has single quotes within it (when it contains a link generated by the Html.ActionLink() helper in ASP.NET MVC). So while I could change all the ActionLink helpers inside TempData["Message"] to tags, it's an interesting problem and would been keen to hear if anyone has an answer.

+2  A: 

Call HttpUtility.JavaScriptStringEncode.
This method is new to ASP.Net 4.0; for earlier versions, use the WPL.

SLaks  2010-09-21 23:05:42
Hmm, I don't have .NET 4. What does it do?
ajbeaven  2010-09-21 23:08:36
It escapes a bunch of characters. Use WPL.
SLaks  2010-09-21 23:19:22
Ajax.JavaScriptStringEncode seemed to work. Any comment?
ajbeaven  2010-09-21 23:20:31
I was unaware of it. It should work fine.
SLaks  2010-09-21 23:22:45
Great, thanks :) +1
ajbeaven  2010-09-21 23:23:43
A: 

I have addressed this by writing a HtmlHelper that encodes the strings to a format acceptable in Javascript:

public static string JSEncode(this HtmlHelper htmlHelper, string source)
{
    return (source ?? "").Replace(@"'", @"\'").Replace(@"""", @"\""").Replace(@"&", @"\&").Replace(((char)10).ToString(), "<br />");
}

Then, in your view:

if ('<%= Html.JSEncode( TempData["Message"] ) %>' == "") {
    // code
};
Clicktricity  2010-09-21 23:08:35
That's very wrong. You should not be replacing `\r` with `<br />` tags, and there are more characters that you need to escape.
SLaks  2010-09-21 23:18:12
Specifically: backslash itself (otherwise `\"` is escaped to `\\"` and breaks the string with security implications) and other newline characters.
bobince  2010-09-21 23:31:53
This is what works for me, and the messages I need to encode. Feel free to adjust to your individual needs
Clicktricity  2010-09-22 07:52:04
Your code is an XSS hole. You should fix it.
SLaks  2010-09-22 20:46:49

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?