Is it necessary to "escape" character "<" and ">" for javascript string?
Posted
by Morgan Cheng
on Stack Overflow
See other posts from Stack Overflow
or by Morgan Cheng
Published on 2009-04-23T01:27:41Z
Indexed on
2010/03/30
21:53 UTC
Read the original article
Hit count: 326
Sometimes, server side will generate strings to be embedded in inline JavaScript code. For example, if "UserName" should be generated by ASP.NET. Then it looks like.
<script>
var username = "<%UserName%>";
</script>
This is not safe, because a user can have his/her name to be
</script><script>alert('bug')</script></script>
It is XSS vulnerability.
So, basically, the code should be:
<script>
var username = "<% JavascriptEncode(UserName)%>";
</script>
What JavascriptEncode does is to add charater "\" before "/" and "'" and """. So, the output html is like. var username = "<\/script>alert(\'bug\')<\/script><\/script>";
Browser will not interpret "<\/script>" as end of script block. So, XSS in avoided.
However, there are still "<" and ">" there. It is suggested to escape these two characters as well. First of all, I don't believe it is a good idea to change "<" to "<" and ">" to ">" here. And, I'm not sure changing "<" to "\<" and ">" to "\>" is recognizable to all browsers. It seems it is not necessary to do further encoding for "<" and ">".
Is there any suggestion on this?
Thanks.
© Stack Overflow or respective owner