By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,599 Members | 1,872 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,599 IT Pros & Developers. It's quick & easy.

Preventing Cross Site Scripting

P: n/a
Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in
IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.
Jul 20 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a


Qaurk Noble wrote:
Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in
IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.


Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

--

Martin Honnen
http://JavaScript.FAQTs.com/

Jul 20 '05 #2

P: n/a
Thanks for replying Martin

I agree entirely about do the encoding on the server side. The biggest
challenge I face at the moment is that this project is using JSP and I am
new to java. I have not yet located a JSP equivalent of ASP's
Server.HTMLEncode.

"Martin Honnen" <ma*******@yahoo.de> wrote in message
news:3f********@olaf.komtel.net...


Qaurk Noble wrote:
Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.


Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

--

Martin Honnen
http://JavaScript.FAQTs.com/

Jul 20 '05 #3

P: n/a
Fox


Qaurk Noble wrote:

Thanks for replying Martin

I agree entirely about do the encoding on the server side. The biggest
challenge I face at the moment is that this project is using JSP and I am
new to java. I have not yet located a JSP equivalent of ASP's
Server.HTMLEncode.
In JS, you can use escape(string) and unescape(string);

if you want to strip out html inputted by the user:

string.replace(/(<([^>]+)>)/g,""); // before escaping


"Martin Honnen" <ma*******@yahoo.de> wrote in message
news:3f********@olaf.komtel.net...


Qaurk Noble wrote:
Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.


Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

--

Martin Honnen
http://JavaScript.FAQTs.com/

Jul 20 '05 #4

P: n/a
JRS: In article <3F***************@spam.com>, seen in
news:comp.lang.javascript, Fox <do**@spam.com> posted at Thu, 11 Dec
2003 16:54:45 :-

if you want to strip out html inputted by the user:

string.replace(/(<([^>]+)>)/g,""); // before escaping


That can change non-HTML text :

Try S = "J'appelle mon petit chien <<Idefix>>"
or S = "This works : if (X<12) and (Y>3) then Write('Ooh!') ;"
then S.replace(/(<([^>]+)>)/g,"");

--
John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4
<URL:http://jibbering.com/faq/> Jim Ley's FAQ for news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> Jsc maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/Jsc/&c, FAQ topics, links.
Jul 20 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.