Question

1

Escaping HTML entities in JavaScript string literals within the < script> block

rated 0 times [ 6] [ 5] / answers: 1 / hits: 37409 / 13 Years ago, thu, january 5, 2012, 12:00:00

On the one hand if I have

<script>

var s = 'Hello </script>';

console.log(s);

</script>

the browser will terminate the <script> block early and basically I get the page screwed up.

On the other hand, the value of the string may come from a user (say, via a previously submitted form, and now the string ends up being inserted into a <script> block as a literal), so you can expect anything in that string, including maliciously formed tags. Now, if I escape the string literal with htmlentities() when generating the page, the value of s will contain the escaped entities literally, i.e. s will output

Hello &lt;/script&gt;

which is not desired behavior in this case.

One way of properly escaping JS strings within a <script> block is escaping the slash if it follows the left angle bracket, or just always escaping the slash, i.e.

var s = 'Hello </script>';

This seems to be working fine.

Then comes the question of JS code within HTML event handlers, which can be easily broken too, e.g.

<div onClick=alert('Hello >')></div>

looks valid at first but breaks in most (or all?) browsers. This, obviously requires the full HTML entity encoding.

My question is: what is the best/standard practice for properly covering all the situations above - i.e. JS within a script block, JS within event handlers - if your JS code can partly be generated on the server side and can potentially contain malicious data?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

terrence

Add To Favorites

Follow

Total Points: 120

Total Questions: 115

Total Answers: 87

Location: England

Member since Fri, May 22, 2020

4 Years ago

terrence questions

1 Cannot read properties of undefined (reading 'toHexString') in ether.js

Sun, Mar 13, 22, 00:00, 2 Years ago

1 Javascript Remove Focus on Enter Key Press

Sat, Jun 5, 21, 00:00, 3 Years ago

1 Implementing Lodash's debounce in a ReactJS functional component

Mon, Aug 31, 20, 00:00, 4 Years ago

1 How to customize mat select option group to allow nested values in angular

Thu, Jul 23, 20, 00:00, 4 Years ago

1 Read file component (fs.readFile)

Wed, Jun 17, 20, 00:00, 4 Years ago

View All

answered 13 Years ago destiniemartinac · Accepted Answer

The following characters could interfere with an HTML or Javascript parser and should be escaped in string literals: <, >, , ', , and &.

In a script block using the escape character, as you found out, works. The concatenation method (</scr' + 'ipt>') can be hard to read.

var s = 'Hello </script>';

For inline Javascript in HTML, you can use entities:

<div onClick=alert('Hello &quot;>')>click me</div>

Demo: http://jsfiddle.net/ThinkingStiff/67RZH/

The method that works in both <script> blocks and inline Javascript is uxxxx, where xxxx is the hexadecimal character code.

< - u003c

> - u003e

- u0022

' - u0027

- u005c

& - u0026

Demo: http://jsfiddle.net/ThinkingStiff/Vz8n7/

HTML:

<div onClick=alert('Hello u0022>')>click me</div>



<script>

    var s = 'Hello u003c/scriptu003e';

alert( s );

</script>