views:

605

answers:

2

I've been using Microsoft's AntiXss Library and was wondering if there is a good reason why its JavaScriptEncode method wraps the result in single quotes? That behavior seems unconventional.

+1  A: 

Probably to make sure it is returning a string. The usage I've seen is to take input and return a value that you can assign to a variable in javascript.

var message=<%=AntiXss.JavaScriptEncode(message)%>;

Now, no matter what was in message, the js variable message will have the exact input escaped appropriately so if some jerk tried to inject javascript into that message they'd just see the result of their message being assigned to the message variable.

D. Patrick
Right. But more often I find myself using JavaScriptEncode to encode untrusted user input that makes up *parts* of strings and in that scenario it is just annoying to concatenate with ' + ' or remove the quotes manually. I'd also argue that this is not the behavior one would expect as none of the other methods does anything similar (e.g. HtmlAttributeEncode doesn't wrap result in double quotes).
Josef
Couldn't agree more. Very annoying indeed
Erlend
+3  A: 

Actually the new 3.0beta version has a flag JavaScriptEncode(string input, bool flagforQuote). Setting it to false, yields a result without quotes.

http://www.microsoft.com/downloads/details.aspx?familyid=051EE83C-5CCF-48ED-8463-02F56A6BFC09&amp;displaylang=en

Erlend