Best IT Recipes

Is there a standard way to encode a .NET string into a JavaScript string for use in MS Ajax?

I am trying to pass the result of the SQL Server exception to the client using the RegisterStartUpScript MS ScriptManager method in .NET 3.5. This works fine for some errors, but when the exception contains single quotes, the warning does not work.

I do not want to just avoid single quotes. Is there a standard function that I can call to avoid any special characters for use in JavaScript?

 string scriptstring = "alert('" + ex.Message + "');"; ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", scriptstring , true);


EDIT

Thanks @tpeczek, the code almost worked for me :), but with a little correction (dropping single quotes) this works.

I have included my modified version here ...

 public class JSEncode { /// <summary> /// Encodes a string to be represented as a string literal. The format /// is essentially a JSON string. /// /// The string returned includes outer quotes /// Example Output: "Hello \"Rick\"!\r\nRock on" /// </summary> /// <param name="s"></param> /// <returns></returns> public static string EncodeJsString(string s) { StringBuilder sb = new StringBuilder(); sb.Append("\""); foreach (char c in s) { switch (c) { case '\'': sb.Append("\\\'"); break; case '\"': sb.Append("\\\""); break; case '\\': sb.Append("\\\\"); break; case '\b': sb.Append("\\b"); break; case '\f': sb.Append("\\f"); break; case '\n': sb.Append("\\n"); break; case '\r': sb.Append("\\r"); break; case '\t': sb.Append("\\t"); break; default: int i = (int)c; if (i < 32 || i > 127) { sb.AppendFormat("\\u{0:X04}", i); } else { sb.Append(c); } break; } } sb.Append("\""); return sb.ToString(); } }

As mentioned below - source: here

+68
javascript c # ajax encoding
May 27 '10 at 11:45 a.m.
source share
3 answers

Have you looked at HttpUtility.JavaScriptStringEncode ?

+163
Aug 20 '10 at 6:27
source share

The problem with this function is that it does not encode characters that are usually not in a range when encapsulating HTML ... so you will have problems if you try to include a string with an " inside attribute value, or if you had a string with sequence </script> inside the script element. This can lead to script injection and XSS.

You can add:

  case '<': sb.Append("\\x3C"); break; case '"': sb.Append("\\x22"); break; case '&': sb.Append("\\x26"); break;

In general, it is probably better to use a standard JSON encoder than brew your own native JS string encoder. This will allow you to pass any simple data type to JS, not just strings.

In .NET 3.5 you get a JavaScriptSerializer , however, note that while this encodes < in \u003C (so the output will be used for use in the <script> element), it does not encode & or " , so to include such content in the attribute value will require HTML escaping and XHTML will require a CDATA shell script.

(Like many JSON encoders, it also cannot encode UL + 2028 LINE SEPARATOR and U + 2029 PARAPRAPH SEPARATOR characters. The above code does this because of escaping all non-ASCII characters. This results in an "uninitialized error string literal, when these characters are included in the JS string literal, because JavaScript is useless to them the same way as to a new ASCII string.)

+9
May 27 '10 at 13:19
source share

This is an old thread, but you might be interested in learning about the Microsoft AntiXSS library, which has a Javascript encoding method that works for .Net 2 onwards.

http://msdn.microsoft.com/en-gb/security/aa973814.aspx

+3
Jan 19 '15 at 14:59
source share


More articles:


All Articles