0

On my server side, I have something that looks like this:

Response.Write("<script>$(document).ready(function(){ SetTitle('" + userInput + "'); });</script>");

As you can see, this code is vulnerable to XSS attacks with an input like this:

'); alert('XSS attack');//

Here is my question: if I escape the single-quote (') on server side, will it be enough to stop XSS attack in this specific case? Or do you see other possible attack? Or may be I'm just setting my title the wrong way?

NLemay
  • 2,331
  • 3
  • 29
  • 45
  • Take a look at this question: http://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side – merlin2011 Apr 14 '14 at 20:18
  • Regardless of whatever you do to your client side code, the code of the DOM can be easily modified by the end user, so your changes could easily be undone. – user1477388 Apr 14 '14 at 20:18
  • This can really help you http://blogs.msdn.com/b/syedab/archive/2009/07/06/preventing-cross-site-scripting-attacks.aspx – ale Apr 14 '14 at 20:19
  • Just to clarify, I added that I want to do the escaping on server side. Thank you @Infer-On, I'll look at it. – NLemay Apr 14 '14 at 20:24

0 Answers0