Solved

javascript/html injection

Posted on 2012-03-18
5
245 Views
Last Modified: 2012-03-19
we have a bookmarlet that calls an asp page,

the asp page returns html(embedded inside a javascript code)

then javascript gets execuded and the hmtl inserted into a textbox on a webform.

everything works fine if data being passed is plain text, but with html does not work.

Since this is a bookmarlet, there are no error messages.

We do tried escaping the html from the database, we replace ' single quotes and "" double/double quotes when returning the html back.

Any ideas ?
0
Comment
Question by:goodluck11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:goodluck11
ID: 37735841
 sample code

var formContent = {
"0":"905",
"9":"",
"10":"<table border="0" cellspacing="10" cellpadding="0" width="860" bgcolor="#ffffff"> <tr> <td width="400" valign="top" align="left" style="border:none;"> <img src="http://www.imagesurl.com/frames/2011/10/25/15925462.jpg"><br/><br/> <table cellspacing="10"><tr><td><a target="_blank" href="http://www.imagesurl.info/frames/2011/10/25/15925457.jpg"><img src="http://www.imagesurl.info/frames/2011/10/25/15925469.jpg" border="0"></a></td><td><a target="_blank" href="http://www.imagesurl.info/frames/2011/10/25/15925453.jpg"><img src="http://www.imagesurl.info/frames/2011/10/25/15925459.jpg" border="0"></a>"
}

Open in new window

0
 

Author Comment

by:goodluck11
ID: 37735849
 here is the code inserting the form values


var form = document.getElementById('Form1'); 

	for (var o in formContent) 
	{
		form.elements[o].value=formContent[o];
	}

Open in new window

0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 37736080
Either put the whole HTML string inside single quotes or put the parameters within the string single quotes.

You have:

"<table border="0" cellspacing="10" ... >"

So you double quote the whole string, but you then have parameters within double quotes also.

So as the string gets parsed as you have it now, it sees

"<table border="  Then a zero, then the start of another string " cellspacing=", then the number 10 and so on.  You either need:

'<table border="0" cellspacing="10" ... >'

Or

"<table border='0' cellspacing='10' ...>"

The only other way is to find out a way to escape the double quotes that are contained within the string you want to pass.
0
 

Author Comment

by:goodluck11
ID: 37736272
Thats great thank! single quotes worked,

But didnt understand this:

> but you then have parameters within double quotes also.  -?

Outputting one or twice double quotes didn't work.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 37736978
You have the value for table border within double quotes:

--> table border="0"

And the whole string was within double quote "< ..... >"

So you basically had:

  "< table border = "0">"

You either needed:

   '< table border ="0">'

or

    "< table border ='0'>"

Or escape the quotes within the string:

    "< table border =\"0\">"

Does that make sense?
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
In this tutorial viewers will learn how to style transparent/translucent elements using alpha transparency in CSS Start with a normal styled element, such as a div.: Define its "background-color" property as "rgba (255, 255, 255, .5): The numbers in…
In this tutorial viewers will learn how to embed Flash content in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <object> tag to embed Flash content.: To specify that the object is Flash content, d…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question