0

I am creating a file name like this

var name = $('#top-line').val();
var fname = random+'-'+name+'-something';

Here fname is file name. I don't know what the user might enter in #top-line, how can I escape the characters to be sure about safety. I tried it with a $top line = somethin "else" and things got messed up.

From the comment I read I understand that 

escape("Need tips? Visit W3Schools!") will produce
Need%20tips%3F%20Visit%20W3Schools%21

My doubt is will the file get saved as 

Need%20tips%3F%20Visit%20W3Schools%21

What if someone writes escape(/Need tips? Visit W3Schools!")

EDIT on server I am saving files like

$name = uniqid('somevalue',true);
$file = 'usermemes/' . $name . '.jpeg';

On user computer they have the name that user provides.

Asain
  • 37
  • 10
  • http://www.w3schools.com/jsref/jsref_escape.asp – Eun Feb 05 '15 at 13:14
  • 3
    possible duplicate of [Escaping Strings in JavaScript](http://stackoverflow.com/questions/770523/escaping-strings-in-javascript) – Noy Feb 05 '15 at 13:15
  • Are you going to be actually creating files on the server based on the user input? You need to do this sort of thing on the server so that malicious users can't screw your server up. – atmd Feb 05 '15 at 13:15
  • 1
    It isn't clear what you need - are you sending this string to the server in a query string? Saving a file on the server with this name? Inserting this into a database query? Look at [encodeUri](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI), but @atmd is right - you probably want to do this on the server. – Nate Barbettini Feb 05 '15 at 13:18
  • Yes, I am saving one copy of file on server and another one the user can download. – Asain Feb 05 '15 at 13:19

2 Answers2

0

You want to do this on the server. Here's why: even if your JavaScript is minified, remember that (theoretically) anyone can view and modify your script. You could write a great routine that checks for bad characters, makes sure the user isn't doing anything "injecty", and turns the input into a good filename for your server's OS, but if someone was really motivated, they could download a local copy of your page, edit the script, and fire off as many malicious requests to your server as they want.

It's reasonable to do some basic escaping on the client side (such as encodeUri - see this answer for details), but you'll want to do the real work on your server. Don't just take the user input, put it into a filename string, and save on the server. It can be as simple as a set of str_replace calls or a regex that checks for allowable characters. You just want to make sure you do it where the user can't see.

Edit: If you're just using the user-entered name locally, I'd go with encodeURIComponent and also remove single and double quotes with regex as Prabhu suggested. (But why not just have the file saved on the server with a unique name, and then have the user download that?

Community
  • 1
  • 1
Nate Barbettini
  • 51,256
  • 26
  • 134
  • 147
  • I am not saving the file with username on server. The file with name that user provides is used to save a file on his device. I have edited my question to include more details. Please take a look again at the reframed question. – Asain Feb 05 '15 at 13:27
  • Updated my answer. Hope it helps. – Nate Barbettini Feb 05 '15 at 13:42
  • I don't want to add one extra step for the user. I tried `var name = $('#top-line').val(); name.replace(/['"]+/g, '');` but file was still saved without extension when I entered `something "else"` – Asain Feb 05 '15 at 13:46
  • 1
    @Asain You need to use the return value of `replace` like `name = name.replace(/['"]+/g, '');` – fgb Feb 05 '15 at 13:55
  • Thanks @fgb, I am a real dumbass. I have just one more doubt. If I use `var name=""; var name = $('#top-line').val(); name = name.replace(/['"]+/g, ''); var fname = random+'-'+name+'-something';` will it solve issue about every character? – Asain Feb 05 '15 at 14:03
0

Initiate your "name" variable with empty string

var name= "";
name="Need tips? Visit W3Schools!";

and javascript will take "everything" as a string no mater it is a escape or what. even

var name= "";
name="\Need tips? Visit W3Schools!\";

or

var name= "";
name="Need\\ tips? Vis\\it W3\\School\\s!";

only thing is you need to take care of double quotes so it can be removed. so totally like this.

var name= "";
var name = $('#top-line').val();
name.replace(/['"]+/g, '');

or write a logic by using this to alert user not to enter double quotes

Prabhu Vignesh Rajagopal
  • 1,028
  • 10
  • 19