How can I make sure the string is clean for insertion into javascript Alert ("error message")

Question

How can I make sure the string is clean for insertion into javascript Alert ("error message")

I'm trying to show an error to a webpage user using a javascript popup, currently I have the following code to clear the error string:

errorMessage.Replace("'", "\'")

But this is not enough, since some illegal characters are not deleted, is there any static method in the structure that will format my string for clean insertion in html?

Update : my initial question was a bit controversial. the line must be valid, as in the warning ("this is some" illegal text "that will not pop up"); I will try Server.HtmlEncode, hope this does the trick.

+6

javascript c # asp.net alert

user373186 Jun 24 '10 at 9:18

source share

8 answers

Philpursglove · Answer 1 · 2010-06-24T09:33:09+0000

If you look at the AntiXSS module in the Web Protection Library , you will find that it has a JavaScriptEncode(string) method for just this kind of thing.

jvenema · Answer 2 · 2010-06-24T12:33:50+0000

There's a simple solution ... use a DataContractJsonSerializer and serialize the string value. By serializing a string in JSON, you by definition guarantee that it will work well inside the warning statement.

Lucero · Answer 3 · 2010-06-24T09:21:43+0000

You want to avoid XSS vulnerabilities, which is good. The following cheat sheet should help you (and also contain a link to the code to escape the string):

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Hinek · Answer 4 · 2010-06-24T09:25:58+0000

To avoid the line for a clean paste in html, you can use the HttpUtility.HtmlEncode method. I am not sure if this will help you with javascript.

http://msdn.microsoft.com/en-us/library/73z22y6h.aspx

Panagiotis kanavos · Answer 5 · 2010-06-24T09:54:41+0000

If you are using ASP.NET 4, you can use the new syntax <%:%> for the HtmlEncode generated string AND replace the default encoder with AntiXSS or any other library that you may prefer. Phil Haack explains how to do this Using AntiXss as the default encoder for ASP.NET

Thus, you can write a warning as follows:

 alert('<%: this.ErrorMessage %>');

In previous versions, you can use what others suggested, either HtmlEncode or AntiXss:

 alert('<%= HttpUtility.HtmlEncode(this.ErrorMessage) %>');

or

 alert('<%= AntiXss.HtmlEncode(this.ErrorMessage) %>');

Joe · Answer 6 · 2010-06-24T10:52:47+0000

HttpUtility.HtmlEncode will not encode a single quote (') and is not suitable for encoding a string that will be used as a warning message. Personally, I do it like this:

 public static string EscapeAlertMessage(string value) { value = value.Replace("\\", "\\\\"); value = value.Replace("'", "\\'"); value = value.Replace("\"", "\\\""); return value; }

If your message contains several lines, you can replace them with "\ n" - for example. if the lines are separated by the .NewLine environment:

 value = value.Replace(Environment.NewLine, "\\n");

Or, if you do not know what the delimiters are (\ r \ n, \ n or \ r), you can use:

 value = value.Replace("\r", "\\r"); value = value.Replace("\n", "\\n");

user373186 · Answer 7 · 2010-06-24T12:08:23+0000

Thanks for the help, but none of the answers provided gave me a complete solution.

Joe's answer was the closest, but he did not account for the new line. I could not find a way to translate C # newline to the javascript equivalent.

 public static string EscapeAlertMessage(string value) { value = value.Replace("\\", "\\\\"); value = value.Replace("'", "\\'"); value = value.Replace("\"", "\\\""); value = value.Replace(Environment.NewLine, "--"); return value; }

Ronondex · Answer 8 · 2013-12-04T09:25:55+0000

In my projects, I use the following function. It displays all possible characters for Javascript:

  /// <summary> /// Encodes a string to be represented as a string literal. The format /// is essentially a JSON string. /// /// Example Output: Hello \"Rick\"!\r\nRock on /// </summary> /// <param name="s"></param> /// <returns></returns> public static string EncodeJsString(string s) { StringBuilder sb = new StringBuilder(); foreach (char c in s) { switch (c) { case '\"': sb.Append("\\\""); break; case '\\': sb.Append("\\\\"); break; case '\b': sb.Append("\\b"); break; case '\f': sb.Append("\\f"); break; case '\n': sb.Append("\\n"); break; case '\r': sb.Append("\\r"); break; case '\t': sb.Append("\\t"); break; case '\'': sb.Append("\\'"); break; default: int i = (int)c; if (i < 32 || i > 127) { sb.AppendFormat("\\u{0:X04}", i); } else { sb.Append(c); } break; } } return sb.ToString(); }

How can I make sure the string is clean for insertion into javascript Alert ("error message")

More articles: