5

I have the following script, which encodes some of the value it receives propertly, but it does not seem to encode double quotes.

How do I encode the full value properly before posting?

function htmlEncode(value){ 
    return $('<div/>').text(value).html(); 
}

The above script give me this:

&lt;p&gt;Test&amp;nbsp; &lt;span style="color: #ffffff"&gt;&lt;strong&gt;&lt;span style="background-color: #ff0000"&gt;1+1+1=3&lt;/span&gt;&lt;/strong&gt;&lt;/span&gt;&lt;/p&gt;

I need it to give me this:

&lt;p&gt;Test&amp;nbsp; &lt;span style=&quot;color: #ffffff&quot;&gt;&lt;strong&gt;&lt;span style=&quot;background-color: #ff0000&quot;&gt;1+1+1=3&lt;/span&gt;&lt;/strong&gt;&lt;/span&gt;&lt;/p&gt;

EDIT: Followup question: Encoded HTML in database back to page

Community
  • 1
  • 1
oshirowanen
  • 15,297
  • 82
  • 198
  • 350
  • 2
    It looks like you are trying to get the client to make some text HTML safe before submitting it to the server. Don't do that. Make content HTML safe on the way out of the system, not on the way in (and especially not on the client, where it can be tampered with) – Quentin Feb 04 '11 at 14:24
  • Why do you need to do it JS on the client? – troutinator Feb 04 '11 at 14:25
  • Why do you want it to give you `"` anyway? Unless you are planning to insert the data into an attribute value (that you mash together using strings instead of using a DOM or other sensible API) then you're just using 6 bytes when 1 will do and making it harder to read. – Quentin Feb 04 '11 at 14:25
  • I tried sending the server html, but it did not like it: http://stackoverflow.com/questions/4897441/a-potentially-dangerous-request-form – oshirowanen Feb 04 '11 at 14:25
  • see this link http://www.tumuski.com/code/htmlencode/ – andres descalzo Feb 04 '11 at 14:25
  • 1
    You've been given bad advice. You should turn off the over-sensitive filter so you can get the data you want to receive (and then handle it carefully to protect yourself from XSS). – Quentin Feb 04 '11 at 14:30
  • Follow up question here: http://stackoverflow.com/questions/4899365/encoded-html-in-database-back-to-page – oshirowanen Feb 04 '11 at 14:56

6 Answers6

8

You shouldn't try to encode things with JavaScript.

You should encode it serverside.

Anything that can be done with JavaScript can be undone.

It is valid to encode it in JavaScript if you also check that it was encoded on the server, but keep in mind: JavaScript can be disabled.

George Stocker
  • 57,289
  • 29
  • 176
  • 237
  • I tried posting standard html to the server, but i get an error saying that i am trying to do cross site scripting or something along those lines. Here is a link when I tried to send html to the server without encoding it. http://stackoverflow.com/questions/4897441/a-potentially-dangerous-request-form – oshirowanen Feb 04 '11 at 14:24
  • 1
    @oshirowanen I guess you are using `vb.net`, you have to disable the page validation to be able to get the content as is. – BrunoLM Feb 04 '11 at 14:27
  • What are you using as your server side language? – George Stocker Feb 04 '11 at 14:27
  • Follow up question here: http://stackoverflow.com/questions/4899365/encoded-html-in-database-back-to-page – oshirowanen Feb 04 '11 at 14:57
  • there are perfectly valid times to encode with javascript, such as when you want to NOT trigger asp.net's XSS detection when you post – Adam Tuliper Dec 12 '11 at 05:47
  • @AdamTuliper You're quite right, but JavaScript can be disabled. Whether or not you encode it in JavaScript, you must also run it through serverside encoding. – George Stocker Feb 10 '12 at 02:29
  • 2
    @GeorgeStocker agreed, but your comment was to not encode things with javascript, and there are 100% valid times to do this prior to posting. In this case I mentioned you would not want to encode on the server side, the purpose is to encode to bypass restrictions of posting html without disabling request validation. Data generally shouldnt be stored encoded but sanitized otherwise you are open to double encoding issues. – Adam Tuliper Feb 10 '12 at 03:47
5

What George says is true. But, if you have to encode strings client-side, I'd suggest you use JavaScript's encodeURIComponent().

George Stocker
  • 57,289
  • 29
  • 176
  • 237
Labu
  • 2,572
  • 30
  • 34
  • 2
    `The escape and unescape functions are deprecated. Use encodeURI, encodeURIComponent, decodeURI or decodeURIComponent to encode and decode escape sequences for special characters. ` https://developer.mozilla.org/en/JavaScript/Reference/Deprecated_Features – BrunoLM Feb 04 '11 at 14:29
2

I had a similar problem. I simply used the replace method in javascript. Here's a nice article to read: http://www.w3schools.com/jsref/jsref_replace.asp

Basically what the replace method does is it swaps or replaces the character it founds with what you indicate as replacement character(s).

So this:

var str=' " That " ';
str = str.replace(/"/g,'&quot;');

Once you log this into the console of your browser, you will get something like

&quot; That &quot;

And this:

var str=' " That " ';
str = str.replace(/"/g,'blahblahblah');

Once you log this into the console of your browser, you will get something like

blahblahblah That blahblahblah
MMK
  • 609
  • 5
  • 16
1

You can use this module in js, without requiring jQuery:

htmlencode

andres descalzo
  • 14,887
  • 13
  • 64
  • 115
0

You can re-use functions from php.js project - htmlentities and get_html_translation_table

Distdev
  • 2,312
  • 16
  • 23
  • It really should be done server-side. Anyway, you should use `htmlspecialchars()` instead of `htmlentities()`. – alexia Feb 04 '11 at 14:35
-1

Use escape(str) at client side

and

HttpUtility.UrlDecode(str, System.Text.Encoding.Default); at server side

it worked for me.

Sohel Pathan
  • 367
  • 3
  • 13
  • I not sure you understood the question, and this is specifically asking for client-side code to be submitted to the server. It also does not mention the server at all, so the server code you've included could very likely not be relevant. – Andrew Barber Apr 02 '14 at 13:22
  • Yes, Andrew you right. I have given him a trick for client side encoding. and additionally i have suggested him how to handle it at server side, if it is necessary, – Sohel Pathan Apr 03 '14 at 15:02