Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it necessary to "escape" character "<" and ">" for javascript string?

Sometimes, server side will generate strings to be embedded in inline JavaScript code. For example, if "UserName" should be generated by ASP.NET. Then it looks like.

<script>
   var username = "<%UserName%>";
</script>

This is not safe, because a user can have his/her name to be

</script><script>alert('bug')</script></script>

It is XSS vulnerability.

So, basically, the code should be:

<script>
   var username = "<% JavascriptEncode(UserName)%>";
</script>

What JavascriptEncode does is to add charater "\" before "/" and "'" and """. So, the output html is like. var username = "</script>alert(\'bug\')</script></script>";

Browser will not interpret "</script>" as end of script block. So, XSS in avoided.

However, there are still "<" and ">" there. It is suggested to escape these two characters as well. First of all, I don't believe it is a good idea to change "<" to "&lt;" and ">" to "&gt;" here. And, I'm not sure changing "<" to "\<" and ">" to "\>" is recognizable to all browsers. It seems it is not necessary to do further encoding for "<" and ">".

Is there any suggestion on this?

Thanks.

like image 266
Morgan Cheng Avatar asked Apr 23 '09 01:04

Morgan Cheng


People also ask

Do I need to escape in JavaScript string?

TL;DR there's no need for crazy hacks like string concatenation or char literal escapes — just escape it as such: var snaphtml = '<\/script>'; Also, note that this is only necessary for inline scripts.

Do you need to escape in string?

Raw string literals For example, you want to specify the path C:\windows in your search. This path is a string value and normally you need to escape the backslash character ( \ ) to have the search ignore the backslash in the string. As with all strings, it must be enclosed in double quotation marks.

Why do you need to use escape characters in strings?

It is used in character strings to indicate that the current line of source code continues on the next line. The value of an escape sequence represents the member of the character set used at run time.


2 Answers

The problem has different answers depending on what markup language you are using.

If you are using HTML, then you must not represent them with entities as script elements are marked as containing CDATA.

If you are using XHTML, then you may represent them as CDATA with explicit CDATA markers, or you may represent them with entities.

If you are using XHTML, but serving it as text/html, then you need to write something which conforms to the rules of XHTML but still works with a text/html parser. This generally means using explicit CDATA markers and commenting them out in JavaScript.

<script type="text/javascript">
// <![CDATA[
  …
// ]]>
</script>

A while ago, I wrote a bit about the hows and whys of this.

like image 195
Quentin Avatar answered Nov 06 '22 02:11

Quentin


No, you should not escape < and > using HTML entities inside <script> in HTML.

  • Use JavaScript string escaping rules (replace \ with \\ and " with \")
  • and replace all occurances of </ with <\/, to prevent escaping out of the <script> element.

In XHTML it's more complicated.

  • If you send XHTML as XML (the way that's incompatible with IE) and don't use CDATA block, then you need to escape entities, in addition to JavaScript string escaping.
  • If you send XHTML as XML and use CDATA block, then don't escape entities, but replace ]]> with ]]]]><![CDATA[> to prevent escaping out of it (in addition to JavaScript string escaping).
  • If you send XHTML as text/html (what 99% of people does) then you have to use XML CDATA block, XML CDATA escaping and HTML escaping all at once.
like image 30
Kornel Avatar answered Nov 06 '22 04:11

Kornel