74

I'm trying to pass the output of a SQL Server exception to the client using the RegisterStartUpScript method of the MS ScriptManager in .NET 3.5. This works fine for some errors but when the exception contains single quotes the alert fails.

I dont want to only escape single quotes though. Is there a standard function I can call to escape any special chars for use in JavaScript?

string scriptstring = "alert('" + ex.Message + "');";         
ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", scriptstring , true);

EDIT:

Thanks @tpeczek, the code almost worked for me :) but with a slight amendment (the escaping of single quotes) it works a treat.

I've included my amended version here...

public class JSEncode
{
    /// <summary>
    /// Encodes a string to be represented as a string literal. The format
    /// is essentially a JSON string.
    /// 
    /// The string returned includes outer quotes 
    /// Example Output: "Hello \"Rick\"!\r\nRock on"
    /// </summary>
    /// <param name="s"></param>
    /// <returns></returns>
    public static string EncodeJsString(string s)
    {
        StringBuilder sb = new StringBuilder();
        sb.Append("\"");
        foreach (char c in s)
        {
            switch (c)
            {
                case '\'':
                    sb.Append("\\\'");
                    break;
                case '\"':
                    sb.Append("\\\"");
                    break;
                case '\\':
                    sb.Append("\\\\");
                    break;
                case '\b':
                    sb.Append("\\b");
                    break;
                case '\f':
                    sb.Append("\\f");
                    break;
                case '\n':
                    sb.Append("\\n");
                    break;
                case '\r':
                    sb.Append("\\r");
                    break;
                case '\t':
                    sb.Append("\\t");
                    break;
                default:
                    int i = (int)c;
                    if (i < 32 || i > 127)
                    {
                        sb.AppendFormat("\\u{0:X04}", i);
                    }
                    else
                    {
                        sb.Append(c);
                    }
                    break;
            }
        }
        sb.Append("\"");

        return sb.ToString();
    }
}

As mentioned below - original source: here

Rich Andrews
  • 4,168
  • 3
  • 35
  • 48

3 Answers3

185

Have you had a look at HttpUtility.JavaScriptStringEncode?

ajbeaven
  • 9,265
  • 13
  • 76
  • 121
Russ Cam
  • 124,184
  • 33
  • 204
  • 266
  • 9
    Upvoted because its a great answer - only works in .NET 4 though – Rich Andrews Aug 31 '10 at 11:33
  • 5
    I think that when there is a framework function for a specific task (like this) it is often more reliable and accurate than the do-it-yourself ones, so it's better stick with it.. – Luke Jan 23 '13 at 11:37
  • This article shows how to implement it pre .NET 4 http://briancaos.wordpress.com/2012/05/16/javascript-string-encoding-in-c/ – rdans Nov 19 '13 at 11:33
  • 2
    @eddy, the question states .NET 3.5, not 4 and this code only works in 4+. That's why it is not the answer. – Rich Andrews Apr 25 '14 at 14:19
  • 1
    Note: For those looking for a way to encode international characters into escaped sequences, this will not work. See [this question](http://stackoverflow.com/questions/1615559/converting-unicode-strings-to-escaped-ascii-string) for a solution to that problem. – R. Salisbury Dec 03 '15 at 14:48
  • i read that the question is for 3.5 but still this should be the correct answer as 3.5 is starting to be obsolete and this is the first result when i google "c# encode string for javascript alert", maybe add the function code in case you use 3.5 or lower – Alas May 20 '16 at 19:36
  • The entirety of the MSDN description for that method is "Encodes a string." Is there a more complete description of what the method actually does? – Jon Schneider May 23 '17 at 13:43
  • Note that this method also correctly handles – Jordan Rieger May 11 '22 at 22:24
10

A probem with this function is that it doesn't encode characters that are typically out-of-band in encapsulating HTML... so you'd have trouble if you tried to include a string with " inside an attribute value, or if you had a string with the sequence </script> inside a script element. That could lead to script-injection and XSS.

You could add:

            case '<':
                sb.Append("\\x3C");
                break;
            case '"':
                sb.Append("\\x22");
                break;
            case '&':
                sb.Append("\\x26");
                break;

In general it would probably be better to use a standard JSON encoder than brew your own JS string literal encoder. This will allow you to pass any simple datatype to JS rather than just strings.

In .NET 3.5 you get JavaScriptSerializer, however note that whilst this does encode < to \u003C (so the output will be suitable for use in a <script> element), it doesn't encode & or ", so HTML-escaping would be needed to include such content in an attribute value and a CDATA wrapper would be needed for XHTML script elements.

(In common with many JSON encoders, it also fails to encode the U+2028 LINE SEPARATOR and U+2029 PARAGRAPH SEPARATOR characters. The above code does, due to escaping all non-ASCII characters. This causes ‘unterminated string literal’ errors when these characters are included in a JS string literal, because JavaScript unhelpfully treats them the same as an ASCII newline.)

bobince
  • 528,062
  • 107
  • 651
  • 834
  • 1
    Great write-up. Note that `JavaScriptSerializer` is also available in .NET 2 via the ASP.NET AJAX 1.0 out-of-band release (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ca9d90fa-e8c9-42e3-aa19-08e2c027f5d6&displaylang=en). – bdukes Sep 20 '10 at 17:05
  • 1
    In that case you wouldn't you use `HttpUtility.HtmlAttributeEncode(HttpUtility.JavaScriptStringEncode(unencodedString))` or `HttpUtility.HtmlEncode(HttpUtility.JavaScriptStringEncode(unencodedString))` depending upon the context? – Martin Brown Mar 01 '16 at 10:08
  • @MartinBrown: you could use either of those to inject into JS-in-HTML-attribute, yes (although it's generally a bad idea to be doing that). The `HtmlEncode` and `HtmlAttributeEncode` methods are curiously named; it seems like one ought to work better for attribute values and one ought to work better for text content, but there is no such distinction in practice judging by the referencesource. They are just two arbitrarily-differently-implemented HTML encoders. – bobince Mar 02 '16 at 07:30
3

This is an old thread, but you may be interested to know about the Microsoft AntiXSS library which has a Javascript encode method which works for .Net 2 onwards.

http://msdn.microsoft.com/en-gb/security/aa973814.aspx

DomBat
  • 1,981
  • 5
  • 27
  • 42