Is it necessary to "escape" character "<" and ">" for javascript string?
- by Morgan Cheng
Sometimes, server side will generate strings to be embedded in inline JavaScript code. For example, if "UserName" should be generated by ASP.NET. Then it looks like.
<script>
var username = "<%UserName%>";
</script>
This is not safe, because a user can have his/her name to be
</script><script>alert('bug')</script></script>
It is XSS vulnerability.
So, basically, the code should be:
<script>
var username = "<% JavascriptEncode(UserName)%>";
</script>
What JavascriptEncode does is to add charater "\" before "/" and "'" and """. So, the output html is like.
var username = "<\/scriptalert(\'bug\')<\/script<\/script";
Browser will not interpret "<\/script" as end of script block. So, XSS in avoided.
However, there are still "<" and "" there. It is suggested to escape these two characters as well. First of all, I don't believe it is a good idea to change "<" to "<" and "" to ">" here. And, I'm not sure changing "<" to "\<" and "" to "\" is recognizable to all browsers. It seems it is not necessary to do further encoding for "<" and "".
Is there any suggestion on this?
Thanks.