How to pass a variable from asp.net to JavaScript?
Asked
Active
Viewed 7.7k times
27
-
What are you trying to do? An example could be helpful? – Xharze May 10 '12 at 18:39
-
1whichever method you use, remember to use `Microsoft.Security.Application.AntiXss.JavaScriptEncode` to encode your string to make it more secure. – Ray Cheng May 10 '12 at 19:12
7 Answers
33
Create a property in your code behind
protected string MyProperty { get { return "your value"; } }
then in javascript
var myValue = "<%= MyProperty %>";
Habib
- 219,104
- 29
- 407
- 436
-
The security implications of this initialization pattern is being discussed here: https://security.stackexchange.com/q/265713/79604 – Anis LOUNIS aka AnixPasBesoin Nov 21 '22 at 15:13
19
There are a number of ways:
1 - Write it out in your JavaScript with <%= myVariable %>
2 - Set a cookie server-side and then retrieve the cookie client side
3 - Set a hidden form input to your value
4 - Redirect to your page with the value as a querystring parameter, and then parse the params using JavaScript
5 - Build all your JavaScript server-side, save to a variable, and then write out the variable client-side.
6 - Retrieve the value with an AJAX request
D'Arcy Rittich
- 167,292
- 40
- 290
- 283
-
The first option causes a `VBScript runtime error '800a000d' Type mismatch`... At least when the 'myVariable' is a recordset variable in a classic asp page, like `<%= rs("myVariable") %>` – Christos Karapapas Aug 31 '17 at 13:46
9
You can use an ASP.Net HiddenField. You just set its value on the server and retrieve it via javascript when you need it.
Serverside
hdf_Test.Value = "yourValue";
HTML
<asp:HiddenField runat="server" ID="hdf_Test" />
Javascript
document.getElementById('hdf_Test').value
Josh Mein
- 28,107
- 15
- 76
- 87
-
In the sever side this code doesn't work I tried string x; x.value="d"; it gives me error? – user1363918 May 10 '12 at 18:49
-
That is because you are trying to use a variable not a HiddenField control. I have updated my answer with more information. – Josh Mein May 10 '12 at 18:56
2
Use javascript tag
<script> var var1 = @var1; var var2 = @var2; </script>Use hidden field
<input type="hidden" value="@var1" id="h_var1"/> <input type="hidden" value="@var2" id="h_var2" />`
in js
$(function()
{
var var1 = $("#h_var1").val();
var var2 = $("#h_var2").val();
}
3.Retrieve data via ajax using json
var var1;
var var2;
$.get(url,function(result)
{
var1 = result.var1; var2 = result.var2;
}
@var syntax depend of your view engine. It maybe <%= Var1 %>
Liam
- 27,717
- 28
- 128
- 190
Nikolai Borisik
- 1,501
- 13
- 22
2
You can use this in your code behind:
public string json;
you need to give it a value
In your JavaScript you can enter:
<script>
var myVar = <%=json%>;
</script>
John Rodriguez
- 57
- 6
1
If you want to get the string variable equivalent in your code side, this is code:
Example:
string jsString= JsEncoder.JavaScriptEncode("This is an example of C# string to be converted to javascript string",true));
Class Code:
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Text;
namespace stackoverlofw.JavascriptEncoder
{
public class JsEncoder
{
/// <summary>
/// Empty string for Java Script context
/// </summary>
private const string JavaScriptEmptyString = "''";
/// <summary>
/// Initializes character Html encoding array
/// </summary>
private static readonly char[][] SafeListCodes = InitializeSafeList();
/// <summary>
/// Encodes input strings for use in JavaScript.
/// </summary>
/// <param name="input">String to be encoded.</param>
/// <param name="emitQuotes">value indicating whether or not to emit quotes. true = emit quote. false = no quote.</param>
/// <returns>
/// Encoded string for use in JavaScript and does not return the output with en quotes.
/// </returns>
/// <remarks>
/// This function encodes all but known safe characters. Characters are encoded using \xSINGLE_BYTE_HEX and \uDOUBLE_BYTE_HEX notation.
/// <newpara/>
/// Safe characters include:
/// <list type="table">
/// <item><term>a-z</term><description>Lower case alphabet</description></item>
/// <item><term>A-Z</term><description>Upper case alphabet</description></item>
/// <item><term>0-9</term><description>Numbers</description></item>
/// <item><term>,</term><description>Comma</description></item>
/// <item><term>.</term><description>Period</description></item>
/// <item><term>-</term><description>Dash</description></item>
/// <item><term>_</term><description>Underscore</description></item>
/// <item><term> </term><description>Space</description></item>
/// <item><term> </term><description>Other International character ranges</description></item>
/// </list>
/// <newpara/>
/// Example inputs and encoded outputs:
/// <list type="table">
/// <item><term>alert('XSS Attack!');</term><description>'alert\x28\x27XSS Attack\x21\x27\x29\x3b'</description></item>
/// <item><term>user@contoso.com</term><description>'user\x40contoso.com'</description></item>
/// <item><term>Anti-Cross Site Scripting Library</term><description>'Anti-Cross Site Scripting Library'</description></item>
/// </list>
/// </remarks>
public static string JavaScriptEncode(string input, bool emitQuotes)
{
// Input validation: empty or null string condition
if (string.IsNullOrEmpty(input))
{
return emitQuotes ? JavaScriptEmptyString : string.Empty;
}
// Use a new char array.
int outputLength = 0;
int inputLength = input.Length;
char[] returnMe = new char[inputLength * 8]; // worst case length scenario
// First step is to start the encoding with an apostrophe if flag is true.
if (emitQuotes)
{
returnMe[outputLength++] = '\'';
}
for (int i = 0; i < inputLength; i++)
{
int currentCharacterAsInteger = input[i];
char currentCharacter = input[i];
if (SafeListCodes[currentCharacterAsInteger] != null || currentCharacterAsInteger == 92 || (currentCharacterAsInteger >= 123 && currentCharacterAsInteger <= 127))
{
// character needs to be encoded
if (currentCharacterAsInteger >= 127)
{
returnMe[outputLength++] = '\\';
returnMe[outputLength++] = 'u';
string hex = ((int)currentCharacter).ToString("x", CultureInfo.InvariantCulture).PadLeft(4, '0');
returnMe[outputLength++] = hex[0];
returnMe[outputLength++] = hex[1];
returnMe[outputLength++] = hex[2];
returnMe[outputLength++] = hex[3];
}
else
{
returnMe[outputLength++] = '\\';
returnMe[outputLength++] = 'x';
string hex = ((int)currentCharacter).ToString("x", CultureInfo.InvariantCulture).PadLeft(2, '0');
returnMe[outputLength++] = hex[0];
returnMe[outputLength++] = hex[1];
}
}
else
{
// character does not need encoding
returnMe[outputLength++] = input[i];
}
}
// Last step is to end the encoding with an apostrophe if flag is true.
if (emitQuotes)
{
returnMe[outputLength++] = '\'';
}
return new string(returnMe, 0, outputLength);
}
/// <summary>
/// Initializes the safe list.
/// </summary>
/// <returns>A two dimensional character array containing characters and their encoded values.</returns>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Maintainability", "CA1502:AvoidExcessiveComplexity", Justification = "This is necessary complexity.")]
private static char[][] InitializeSafeList()
{
char[][] allCharacters = new char[65536][];
for (int i = 0; i < allCharacters.Length; i++)
{
if (
(i >= 97 && i <= 122) || // a-z
(i >= 65 && i <= 90) || // A-Z
(i >= 48 && i <= 57) || // 0-9
i == 32 || // space
i == 46 || // .
i == 44 || // ,
i == 45 || // -
i == 95 || // _
(i >= 256 && i <= 591) || // Latin,Extended-A,Latin Extended-B
(i >= 880 && i <= 2047) || // Greek and Coptic,Cyrillic,Cyrillic Supplement,Armenian,Hebrew,Arabic,Syriac,Arabic,Supplement,Thaana,NKo
(i >= 2304 && i <= 6319) || // Devanagari,Bengali,Gurmukhi,Gujarati,Oriya,Tamil,Telugu,Kannada,Malayalam,Sinhala,Thai,Lao,Tibetan,Myanmar,eorgian,Hangul Jamo,Ethiopic,Ethiopic Supplement,Cherokee,Unified Canadian Aboriginal Syllabics,Ogham,Runic,Tagalog,Hanunoo,Buhid,Tagbanwa,Khmer,Mongolian
(i >= 6400 && i <= 6687) || // Limbu, Tai Le, New Tai Lue, Khmer, Symbols, Buginese
(i >= 6912 && i <= 7039) || // Balinese
(i >= 7680 && i <= 8191) || // Latin Extended Additional, Greek Extended
(i >= 11264 && i <= 11743) || // Glagolitic, Latin Extended-C, Coptic, Georgian Supplement, Tifinagh, Ethiopic Extended
(i >= 12352 && i <= 12591) || // Hiragana, Katakana, Bopomofo
(i >= 12688 && i <= 12735) || // Kanbun, Bopomofo Extended
(i >= 12784 && i <= 12799) || // Katakana, Phonetic Extensions
(i >= 19968 && i <= 40899) || // Mixed japanese/chinese/korean
(i >= 40960 && i <= 42191) || // Yi Syllables, Yi Radicals
(i >= 42784 && i <= 43055) || // Latin Extended-D, Syloti, Nagri
(i >= 43072 && i <= 43135) || // Phags-pa
(i >= 44032 && i <= 55215) /* Hangul Syllables */)
{
allCharacters[i] = null;
}
else
{
string integerStringValue = i.ToString(CultureInfo.InvariantCulture);
int integerStringLength = integerStringValue.Length;
char[] thisChar = new char[integerStringLength];
for (int j = 0; j < integerStringLength; j++)
{
thisChar[j] = integerStringValue[j];
}
allCharacters[i] = thisChar;
}
}
return allCharacters;
}
}
}
X.Otano
- 2,079
- 1
- 22
- 40
0
In HTML:
<script type="text/javascript">
alert(<%=Greetings()%>);
</script>
In code behind:
protected string Greetings()
{
return Microsoft.Security.Application.AntiXss.JavaScriptEncode("Hello World!");
}
Ray Cheng
- 12,230
- 14
- 74
- 137