469,579 Members | 1,098 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,579 developers. It's quick & easy.

Preventing Cross Site Scripting

Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in
IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.
Jul 20 '05 #1
4 1617


Qaurk Noble wrote:
Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in
IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.


Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

--

Martin Honnen
http://JavaScript.FAQTs.com/

Jul 20 '05 #2
Thanks for replying Martin

I agree entirely about do the encoding on the server side. The biggest
challenge I face at the moment is that this project is using JSP and I am
new to java. I have not yet located a JSP equivalent of ASP's
Server.HTMLEncode.

"Martin Honnen" <ma*******@yahoo.de> wrote in message
news:3f********@olaf.komtel.net...


Qaurk Noble wrote:
Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.


Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

--

Martin Honnen
http://JavaScript.FAQTs.com/

Jul 20 '05 #3
Fox


Qaurk Noble wrote:

Thanks for replying Martin

I agree entirely about do the encoding on the server side. The biggest
challenge I face at the moment is that this project is using JSP and I am
new to java. I have not yet located a JSP equivalent of ASP's
Server.HTMLEncode.
In JS, you can use escape(string) and unescape(string);

if you want to strip out html inputted by the user:

string.replace(/(<([^>]+)>)/g,""); // before escaping


"Martin Honnen" <ma*******@yahoo.de> wrote in message
news:3f********@olaf.komtel.net...


Qaurk Noble wrote:
Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.


Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

--

Martin Honnen
http://JavaScript.FAQTs.com/

Jul 20 '05 #4
JRS: In article <3F***************@spam.com>, seen in
news:comp.lang.javascript, Fox <do**@spam.com> posted at Thu, 11 Dec
2003 16:54:45 :-

if you want to strip out html inputted by the user:

string.replace(/(<([^>]+)>)/g,""); // before escaping


That can change non-HTML text :

Try S = "J'appelle mon petit chien <<Idefix>>"
or S = "This works : if (X<12) and (Y>3) then Write('Ooh!') ;"
then S.replace(/(<([^>]+)>)/g,"");

--
John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4
<URL:http://jibbering.com/faq/> Jim Ley's FAQ for news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> Jsc maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/Jsc/&c, FAQ topics, links.
Jul 20 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

7 posts views Thread by Venkat | last post: by
7 posts views Thread by CJD | last post: by
7 posts views Thread by Scott M. | last post: by
2 posts views Thread by ra90812 | last post: by
4 posts views Thread by Jacob JKW | last post: by
reply views Thread by suresh191 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.