Preventing Cross Site Scripting

Qaurk Noble wrote:

Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in
IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.

Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

--

Martin Honnen
http://JavaScript.FAQTs.com/

Thanks for replying Martin

I agree entirely about do the encoding on the server side. The biggest
challenge I face at the moment is that this project is using JSP and I am
new to java. I have not yet located a JSP equivalent of ASP's
Server.HTMLEncode.

"Martin Honnen" <ma*******@yahoo.de> wrote in message
news:3f********@olaf.komtel.net...

Qaurk Noble wrote:

Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.

Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

--

Martin Honnen
http://JavaScript.FAQTs.com/

Qaurk Noble wrote:

Thanks for replying Martin

I agree entirely about do the encoding on the server side. The biggest
challenge I face at the moment is that this project is using JSP and I am
new to java. I have not yet located a JSP equivalent of ASP's
Server.HTMLEncode.
In JS, you can use escape(string) and unescape(string);

if you want to strip out html inputted by the user:

string.replace(/(<([^>]+)>)/g,""); // before escaping


"Martin Honnen" <ma*******@yahoo.de> wrote in message
news:3f********@olaf.komtel.net...

Qaurk Noble wrote:

Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.

Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

--

Martin Honnen
http://JavaScript.FAQTs.com/

JRS: In article <3F***************@spam.com>, seen in
news:comp.lang.javascript, Fox <do**@spam.com> posted at Thu, 11 Dec
2003 16:54:45 :-

if you want to strip out html inputted by the user:

string.replace(/(<([^>]+)>)/g,""); // before escaping

That can change non-HTML text :

Try S = "J'appelle mon petit chien <<Idefix>>"
or S = "This works : if (X<12) and (Y>3) then Write('Ooh!') ;"
then S.replace(/(<([^>]+)>)/g,"");

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://jibbering.com/faq/> Jim Ley's FAQ for news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> Jsc maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/Jsc/&c, FAQ topics, links.