ansaurus

Question

Answer 1

+6 A:

You're committing the first mortal sin of insecure web template programming - not escaping the content of the values being rendered into the template. I can almost guarantee you that if you take that approach, your web app will be vulnerable to XSS (cross site scripting) and any third party will be able to run custom javascript in your page, stealing user data and wreaking havoc as they wish.

Check it out. http://en.wikipedia.org/wiki/Cross-site%5Fscripting

The solution is to escape the content. And to do that properly in the javascript, which is also inside html, is a lot more than just putting escape sequences in front of backslashes.

Any decent templating engine out there should provide you a way to escape content as it's written to the template. Your database values can be left as-is, the important part is escaping it at output time. If your template engine or dynamic web app framework doesn't allow for this, change to one that does. :)

Josh 2009-09-22 01:54:29

+1 word!

some 2009-09-22 01:57:05

You forgot to explain how to escape data using the backslash and possibly the replace method. Still +1 though.

2009-09-22 02:03:20

fair call, however the values being obtained are done so from rendered XML (produced from a secure database call) using XSLT. And considering im just "getting" data is this really a mortal sin? I would have assumed this only really applies during the saving of data

Scozzard 2009-09-22 02:12:02

Answer 2

+1 A:

In support of the prior comment please read the following to gain a better understanding of why the security advice is so important.

http://eval.symantec.com/mktginfo/enterprise/white%5Fpapers/b-whitepaper%5Fweb%5Fbased%5Fattacks%5F03-2009.en-us.pdf

2009-09-22 02:13:16

Answer 3

A:

I would think that you could kill just about any code injection by, for example, replacing

"Hello"

with

String.fromCharCode(72,101,108,108,111)

Robert L 2009-09-22 02:14:03

Answer 4

A:

Although the security information provided by everyone is very valuable, it was not so relevant to me in this situation as everything in this instance is clientside, security measures are applied when getting the data and rendering the XML. The page is also protected through windows authentication (adminsitration section only) and the web app framework cannot be changed. The answer i was looking for was really quite simple in the end.

<tr onclick='ClosePopup("{ScenarioID}", "{Name}");' />

Scozzard 2009-09-22 03:31:44

@Scozzard: And what happens if the data contains `"`?

Grant Wagner 2009-09-24 16:21:55

existing data does not contain " and regex validation for inputting data has been updated so only alphanumeric values will be accepted.

Scozzard 2009-09-24 22:07:13

But yes this needs to be updated to something way more solid. It is not the ideal fix.

Scozzard 2009-09-24 22:07:43

ansaurus

tags:

views:

answers:

nested quotes in javascript

related questions