2

I am building an ASP.NET MVC application that is AJAX-driven. For some reason I need to add some DOM elements on the fly when clicking a submit button. This is accomplished with jQuery.append().

One element inserted is a textarea, whose the data must be parse before submitting to ensure that no cross-site scripting can be done.

We know that the Html.Encode() works great but must be declared outside a script tag. All I have done with jQuery is embedded within a script tag.

1) Is there a way to take advantage of the Html.Encode() within a script tag?

2) How can I accomplish this with jQuery?

At worst I can use HttpUtility.HtmlEncode(), which is called on the server-side.

Thanks for your help.

Roland

Improve this question

4 Answers 4

Reset to default
3

If you are trying to protect agains cross-site scripting, you should be doing it on the server anyway, as client side validation can be easily bypassed.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

As I understand the data that you're injecting is received using some client-side call, not while the page is built on the server side. In this case you could replace $(dest).append(data); with $(dest).append($('<div>').text(data)); Using .text vs .html will already sanitise the string..

Whatever you do I REALLY recommend watching this video by Phil Haack and Scott Hanselman http://live.visitmix.com/MIX10/Sessions/FT05. They show different ways of hacking a site using XSS and CSRS, and ways to protect yourself - exactly what you need :)

Improve this answer

1 Comment

+1 for the Mix session. I am not shure what text does, but it might be necessary to JavascriptEncode (not HtmlEncode) the value in the Ajax action. The mix session realy explains it all.
0

What version of MVC are you using? Not sure I understand the complete context so I'm going to try to cover it from many angles (for the scenarios I can think of, sure there are more). With MVC 2, you have new support for this: <%: Model.FirstName %> to encode data, which is the equivalence of <%= Html.Encode(Model.FirstName) %> as in MVC 1.

You should be able to do that in JS within the view, as in :

<script type="text/javascript">
   $(document).ready(function() { $("#this").html('<%= "Some HTML to write" %>');
</script>

I thought I had done that... if not a few alternatives left. There is a client-side encode with the JS escape and unescape, but it encodes/decodes it in a different way than the server does... try it out to see for yourself, will replace spaces with %20 and other alterations too.

Lastly, JQuery can make a call to the server action method using $.get("/controller/action", function(data) { /* data here */ }, which you can encode using that, but that's highly inefficient.

HTH.

Improve this answer

Comments

0

You could use the ASP.NET built in utility

var message = 'Welcome, @Ajax.JavaScriptStringEncode(ViewBag.UserName)!';

or you could use the Anti XSS Library

var message = 'Welcome, @Encoder.JavaScriptEncode(ViewBag.UserName, false)!';

http://weblogs.asp.net/jgalloway/archive/2011/04/28/preventing-javascript-encoding-xss-attacks-in-asp-net-mvc.aspx

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.