2

I have this code in my program:

res.send('<html><script>window.opener.alert("' + message + '");window.close();</script></html>');

Now... message is something I cannot really predict, although it does come back from an established API and it SHOULD be ok. However, "should" is just not good enough. I realise that I have to escape any " (or it will break the string). However...

  • Do I need to escape anything else?
  • Is there a ready-to-to function for this?
MrCode
  • 63,975
  • 10
  • 90
  • 112
Merc
  • 16,277
  • 18
  • 79
  • 122
  • you can use underscore.js http://underscorejs.org/#escape it has many utility functions – muneebShabbir Jun 17 '13 at 06:56
  • 1
    Use the function in this answer to escape: http://stackoverflow.com/questions/1787322/htmlspecialchars-equivalent-in-javascript – MrCode Jun 17 '13 at 06:57
  • 1
    what is the server side technology used? – Arun P Johny Jun 17 '13 at 06:57
  • Apologies, it's nodejs on the server side. Sorry, I thought res.send would make it obvious...! – Merc Jun 17 '13 at 06:59
  • @MrCode: you should post this as an answer, because its the correct anser! – hereandnow78 Jun 17 '13 at 08:37
  • 1
    @hereandnow78 yeah I was going to post as answer but thought it would be a duplicate. Actually looking at it again you would need some other solution because `alert()` doesn't decode HTML entities, so you would see literally `&` and `"` etc. Personally I would put the message in the body of the new window instead of an alert. – MrCode Jun 17 '13 at 08:46

1 Answers1

-1

Use the v8 btoa and atob shim to encode and decode the message:

res.send('<html><script>window.opener.alert("' + btoa(message) + '");window.close();</script></html>');

Or JSON.stringify:

res.send('<html><script>window.opener.alert("' + JSON.stringify(message) + '");window.close();</script></html>');
Paul Sweatte
  • 24,148
  • 7
  • 127
  • 265
  • Not sure if you missed something in your answer... but doing a `btoa` will scramble the message! – Merc Dec 17 '13 at 03:00
  • So if you unscramble it using atob(btoa(message)), does it return different text than the original? – Paul Sweatte Dec 17 '13 at 03:08
  • It doesn't, no, but what's the point to scramble/unscramble if the result is the same? – Merc Dec 19 '13 at 00:28
  • That's not the point. The point is to escape and unescape a message. Is it useful for that? Only you know the answer. – Paul Sweatte Dec 19 '13 at 18:00
  • I need to show "A" without worrying about special characters. Scramble "A", and then unscramble, and then show it (without escaping special characters) is pointless, since the scramble -> unscrable process does not bring you _any_ benefits. – Merc Dec 19 '13 at 23:50
  • Of course not, it's a two step process. You scramble it in one function, pass the scrambled text to another function, then unscamble it before printing to the screen. – Paul Sweatte Dec 20 '13 at 02:45
  • Replace window.opener.alert with a function call. That function takes the scrambled text as a parameter. Inside that function, it unscrambles the text and prints it via `window.opener.alert`. – Paul Sweatte Dec 20 '13 at 02:52
  • Any special characters will _still_ be present in `window.opener.alert`! The scramble/unscramble process is pointless, the problem is with what's passed to `window.opener.alert`! – Merc Dec 20 '13 at 06:37
  • That is not clear from your question. If you need to avoid breaking the string, then simply use window.opener.alert(message). – Paul Sweatte Dec 20 '13 at 16:32