javascript/html injection

we have a bookmarlet that calls an asp page,

the asp page returns html(embedded inside a javascript code)

then javascript gets execuded and the hmtl inserted into a textbox on a webform.

everything works fine if data being passed is plain text, but with html does not work.

Since this is a bookmarlet, there are no error messages.

We do tried escaping the html from the database, we replace ' single quotes and "" double/double quotes when returning the html back.

Any ideas ?
goodluck11Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

goodluck11Author Commented:
 sample code

var formContent = {
"0":"905",
"9":"",
"10":"<table border="0" cellspacing="10" cellpadding="0" width="860" bgcolor="#ffffff"> <tr> <td width="400" valign="top" align="left" style="border:none;"> <img src="http://www.imagesurl.com/frames/2011/10/25/15925462.jpg"><br/><br/> <table cellspacing="10"><tr><td><a target="_blank" href="http://www.imagesurl.info/frames/2011/10/25/15925457.jpg"><img src="http://www.imagesurl.info/frames/2011/10/25/15925469.jpg" border="0"></a></td><td><a target="_blank" href="http://www.imagesurl.info/frames/2011/10/25/15925453.jpg"><img src="http://www.imagesurl.info/frames/2011/10/25/15925459.jpg" border="0"></a>"
}

Open in new window

0
goodluck11Author Commented:
 here is the code inserting the form values


var form = document.getElementById('Form1'); 

	for (var o in formContent) 
	{
		form.elements[o].value=formContent[o];
	}

Open in new window

0
giltjrCommented:
Either put the whole HTML string inside single quotes or put the parameters within the string single quotes.

You have:

"<table border="0" cellspacing="10" ... >"

So you double quote the whole string, but you then have parameters within double quotes also.

So as the string gets parsed as you have it now, it sees

"<table border="  Then a zero, then the start of another string " cellspacing=", then the number 10 and so on.  You either need:

'<table border="0" cellspacing="10" ... >'

Or

"<table border='0' cellspacing='10' ...>"

The only other way is to find out a way to escape the double quotes that are contained within the string you want to pass.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
goodluck11Author Commented:
Thats great thank! single quotes worked,

But didnt understand this:

> but you then have parameters within double quotes also.  -?

Outputting one or twice double quotes didn't work.
0
giltjrCommented:
You have the value for table border within double quotes:

--> table border="0"

And the whole string was within double quote "< ..... >"

So you basically had:

  "< table border = "0">"

You either needed:

   '< table border ="0">'

or

    "< table border ='0'>"

Or escape the quotes within the string:

    "< table border =\"0\">"

Does that make sense?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.