jquery - Javascript decodes encoded string automatically? -



jquery - Javascript decodes encoded string automatically? -

i've been reading blog post , saw says js encoding vulnerability. in sample code below, if user enters :

\x3cscript\x3e%20alert(\x27pwnd\x27)%20\x3c/script\x3e, says js render html looks odd me. tried , right.

@{ viewbag.title = "home page"; } <h2 id="welcome-message">welcome our website</h2> @if(!string.isnullorwhitespace(viewbag.username)) { <script type="text/javascript"> $(function () { //viewbag.username value comes controller. var message = 'welcome, @viewbag.username!'; $("#welcome-message").html(message).hide().show('slow'); }); </script> }

my question is, why javascript decodes encoded string automatically? or have jquery's html() function that? op says utilize ajax.encodejavascriptstring() method in order solve problem. why need encode encoded string? checked jquery's website , doesn't mention html() method.

if see whole blog post, please visit address http://weblogs.asp.net/jgalloway/archive/2011/04/28/preventing-javascript-encoding-xss-attacks-in-asp-net-mvc.aspx

have @ html result:

<script type="text/javascript"> $(function () { var message = 'welcome, \x3cscript\x3e alert(\x27pwnd\x27) \x3c/script\x3e!'; $("#welcome-message").html(message).hide().show('slow'); }); </script>

yet, js string contains character escape sequences , equal to

'welcome, <script> alert("pwnd") </script>!'

so, want escape these escape sequences (including simple things \n or \t) js string delimiters ' , " - using @encoder.javascriptencode.

javascript jquery asp.net-mvc

Comments

Post a Comment

Popular posts from this blog

web services - java.lang.NoClassDefFoundError: Could not initialize class net.sf.cglib.proxy.Enhancer -

web services - java.lang.NoClassDefFoundError: Could not initialize class net.sf.cglib.proxy.Enhancer - when trying request rest service @ time of response getting exception.. feb 21, 2013 2:34:49 pm com.sun.jersey.spi.container.containerresponse mapmappablecontainerexception severe: exception contained within mappablecontainerexception not mapped response, re-throwing http container java.lang.noclassdeffounderror: not initialize class net.sf.cglib.proxy.enhancer @ org.hibernate.proxy.pojo.cglib.cgliblazyinitializer.getproxyfactory(cgliblazyinitializer.java:117) @ org.hibernate.proxy.pojo.cglib.cglibproxyfactory.postinstantiate(cglibproxyfactory.java:43) @ org.hibernate.tuple.entity.pojoentitytuplizer.buildproxyfactory(pojoentitytuplizer.java:162) @ org.hibernate.tuple.entity.abstractentitytuplizer.<init>(abstractentitytuplizer.java:135) @ org.hibernate.tuple.entity.pojoentitytuplizer.<init>(pojoentitytuplizer.java:55) @ org.hibernate.tuple.e...
Read more

Accessing MATLAB's unicode strings from C -

Accessing MATLAB's unicode strings from C - how can access underlying unicode info of matlab strings through matlab engine or mex c interfaces? here's example. let's set unicode characters in utf-8 encoded file test.txt, read as fid=fopen('test.txt','r','l','utf-8'); s=fscanf(fid, '%s') in matlab. now if first feature('defaultcharacterset', 'utf-8') , c engevalstring(ep, "s") , output text file utf-8. proves matlab stores unicode internally. if mxarraytostring(enggetvariable(ep, "s")) , unicode2native(s, 'latin-1') give me in matlab: non-latin-1 characters replaced character code 26. need getting access underlying unicode info c string in unicode format (utf-8, utf-16, etc.), , preserving non-latin-1 characters. is possible? my platform os x, matlab r2012b. addendum: documentation explicitly states "[mxarraytostring()] supports multibyte encoded characters...
Read more

javascript - mongodb won't find my schema method in nested container -

javascript - mongodb won't find my schema method in nested container - i trying access method of schema stored within mixed container. here situation : have cases model can many different things, have schema each of these things stored in "casecontent" mixed property. var caseschema = mongoose.schema({ casecontent : {}, object : {type:string, default : "null"}, collision : {type : boolean, default : false} }); the casecontent property filled model of 1 of schemas, 1 exemple : var treeschema = new mongoose.schema({ applecount : {type : number, default : 3} }); treeschema.methods.dostuff = function (data) { console.log('hey, listen'); homecoming true; }; then, want utilize method of schema original container : caseschema.methods.dostuff = function (data) { if (this.casecontent.dostuff !== undefined) { this.casecontent.dostuff(); console.log('it worked'); } else { ...
Read more