goodluck11
asked on
javascript/html injection
we have a bookmarlet that calls an asp page,
the asp page returns html(embedded inside a javascript code)
then javascript gets execuded and the hmtl inserted into a textbox on a webform.
everything works fine if data being passed is plain text, but with html does not work.
Since this is a bookmarlet, there are no error messages.
We do tried escaping the html from the database, we replace ' single quotes and "" double/double quotes when returning the html back.
Any ideas ?
the asp page returns html(embedded inside a javascript code)
then javascript gets execuded and the hmtl inserted into a textbox on a webform.
everything works fine if data being passed is plain text, but with html does not work.
Since this is a bookmarlet, there are no error messages.
We do tried escaping the html from the database, we replace ' single quotes and "" double/double quotes when returning the html back.
Any ideas ?
ASKER
here is the code inserting the form values
var form = document.getElementById('Form1');
for (var o in formContent)
{
form.elements[o].value=formContent[o];
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thats great thank! single quotes worked,
But didnt understand this:
> but you then have parameters within double quotes also. -?
Outputting one or twice double quotes didn't work.
But didnt understand this:
> but you then have parameters within double quotes also. -?
Outputting one or twice double quotes didn't work.
You have the value for table border within double quotes:
--> table border="0"
And the whole string was within double quote "< ..... >"
So you basically had:
"< table border = "0">"
You either needed:
'< table border ="0">'
or
"< table border ='0'>"
Or escape the quotes within the string:
"< table border =\"0\">"
Does that make sense?
--> table border="0"
And the whole string was within double quote "< ..... >"
So you basically had:
"< table border = "0">"
You either needed:
'< table border ="0">'
or
"< table border ='0'>"
Or escape the quotes within the string:
"< table border =\"0\">"
Does that make sense?
ASKER
Open in new window