Solved

javascript/html injection

Posted on 2012-03-18
5
246 Views
Last Modified: 2012-03-19
we have a bookmarlet that calls an asp page,

the asp page returns html(embedded inside a javascript code)

then javascript gets execuded and the hmtl inserted into a textbox on a webform.

everything works fine if data being passed is plain text, but with html does not work.

Since this is a bookmarlet, there are no error messages.

We do tried escaping the html from the database, we replace ' single quotes and "" double/double quotes when returning the html back.

Any ideas ?
0
Comment
Question by:goodluck11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:goodluck11
ID: 37735841
 sample code

var formContent = {
"0":"905",
"9":"",
"10":"<table border="0" cellspacing="10" cellpadding="0" width="860" bgcolor="#ffffff"> <tr> <td width="400" valign="top" align="left" style="border:none;"> <img src="http://www.imagesurl.com/frames/2011/10/25/15925462.jpg"><br/><br/> <table cellspacing="10"><tr><td><a target="_blank" href="http://www.imagesurl.info/frames/2011/10/25/15925457.jpg"><img src="http://www.imagesurl.info/frames/2011/10/25/15925469.jpg" border="0"></a></td><td><a target="_blank" href="http://www.imagesurl.info/frames/2011/10/25/15925453.jpg"><img src="http://www.imagesurl.info/frames/2011/10/25/15925459.jpg" border="0"></a>"
}

Open in new window

0
 

Author Comment

by:goodluck11
ID: 37735849
 here is the code inserting the form values


var form = document.getElementById('Form1'); 

	for (var o in formContent) 
	{
		form.elements[o].value=formContent[o];
	}

Open in new window

0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 37736080
Either put the whole HTML string inside single quotes or put the parameters within the string single quotes.

You have:

"<table border="0" cellspacing="10" ... >"

So you double quote the whole string, but you then have parameters within double quotes also.

So as the string gets parsed as you have it now, it sees

"<table border="  Then a zero, then the start of another string " cellspacing=", then the number 10 and so on.  You either need:

'<table border="0" cellspacing="10" ... >'

Or

"<table border='0' cellspacing='10' ...>"

The only other way is to find out a way to escape the double quotes that are contained within the string you want to pass.
0
 

Author Comment

by:goodluck11
ID: 37736272
Thats great thank! single quotes worked,

But didnt understand this:

> but you then have parameters within double quotes also.  -?

Outputting one or twice double quotes didn't work.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 37736978
You have the value for table border within double quotes:

--> table border="0"

And the whole string was within double quote "< ..... >"

So you basically had:

  "< table border = "0">"

You either needed:

   '< table border ="0">'

or

    "< table border ='0'>"

Or escape the quotes within the string:

    "< table border =\"0\">"

Does that make sense?
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses four methods for overlaying images in a container on a web page
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
In this tutorial viewers will learn how to code links for mobile sites that, once clicked, send a call or text to a specified number. For a telephone link (once clicked, calls a number), begin with a normal "<a href=" link tag. For the href, specify…
In this tutorial viewers will learn how to embed videos in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <video> tag to insert a video. Define the src as the URL of your video; this is similar to …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question