Solved

javascript/html injection

Posted on 2012-03-18
5
244 Views
Last Modified: 2012-03-19
we have a bookmarlet that calls an asp page,

the asp page returns html(embedded inside a javascript code)

then javascript gets execuded and the hmtl inserted into a textbox on a webform.

everything works fine if data being passed is plain text, but with html does not work.

Since this is a bookmarlet, there are no error messages.

We do tried escaping the html from the database, we replace ' single quotes and "" double/double quotes when returning the html back.

Any ideas ?
0
Comment
Question by:goodluck11
  • 3
  • 2
5 Comments
 

Author Comment

by:goodluck11
ID: 37735841
 sample code

var formContent = {
"0":"905",
"9":"",
"10":"<table border="0" cellspacing="10" cellpadding="0" width="860" bgcolor="#ffffff"> <tr> <td width="400" valign="top" align="left" style="border:none;"> <img src="http://www.imagesurl.com/frames/2011/10/25/15925462.jpg"><br/><br/> <table cellspacing="10"><tr><td><a target="_blank" href="http://www.imagesurl.info/frames/2011/10/25/15925457.jpg"><img src="http://www.imagesurl.info/frames/2011/10/25/15925469.jpg" border="0"></a></td><td><a target="_blank" href="http://www.imagesurl.info/frames/2011/10/25/15925453.jpg"><img src="http://www.imagesurl.info/frames/2011/10/25/15925459.jpg" border="0"></a>"
}

Open in new window

0
 

Author Comment

by:goodluck11
ID: 37735849
 here is the code inserting the form values


var form = document.getElementById('Form1'); 

	for (var o in formContent) 
	{
		form.elements[o].value=formContent[o];
	}

Open in new window

0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 37736080
Either put the whole HTML string inside single quotes or put the parameters within the string single quotes.

You have:

"<table border="0" cellspacing="10" ... >"

So you double quote the whole string, but you then have parameters within double quotes also.

So as the string gets parsed as you have it now, it sees

"<table border="  Then a zero, then the start of another string " cellspacing=", then the number 10 and so on.  You either need:

'<table border="0" cellspacing="10" ... >'

Or

"<table border='0' cellspacing='10' ...>"

The only other way is to find out a way to escape the double quotes that are contained within the string you want to pass.
0
 

Author Comment

by:goodluck11
ID: 37736272
Thats great thank! single quotes worked,

But didnt understand this:

> but you then have parameters within double quotes also.  -?

Outputting one or twice double quotes didn't work.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 37736978
You have the value for table border within double quotes:

--> table border="0"

And the whole string was within double quote "< ..... >"

So you basically had:

  "< table border = "0">"

You either needed:

   '< table border ="0">'

or

    "< table border ='0'>"

Or escape the quotes within the string:

    "< table border =\"0\">"

Does that make sense?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
removing a class in javascript 4 51
Html value of radio 14 31
Start Auto-download of File when page loads? 1 23
On Load function does not trigger on iPhone 4 37
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Find out what you should include to make the best professional email signature for your organization.
In this tutorial viewers will learn how to embed Flash content in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <object> tag to embed Flash content.: To specify that the object is Flash content, d…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question