about text substitution.

S

SpreadTooThin

I have an application that takes some user input and then at a later
date displays that in a hover over pop up.

The jquery script
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/
libs/prototype/1.7.0.0/prototype.js"></script>
<script type="text/javascript" src="https://swort.eu/library/prototip/
js/prototip/prototip.js"></script>
<link rel="stylesheet" media="all" href="https://swort.eu/library/
prototip/css/prototip.css"/>

The basic application when it gets a mouse enter event takes that
user input and passes it to the jquery like this:

ExecuteJavaScript("new Tip('"+_
me.ControlID +_
"', '" + GetContentString + "', {"+_
"title: '" + GetTitleString + "',"+_
"style: 'protoblue',"+_
"stem: 'topLeft',"+_
"hook: { tip: 'topLeft', mouse: true },"+_
"offset: { x: 14, y: 14 }"+_
"});")


There are some strings that really mess this up. If one of the
characters is a " or a ' then the javascript throws an exception.

How can I preprocess these user entered strings so that I don't get
these execptions thrown?

i.e. can I put a \ in front of the " or the ' so that it is
interpreted literally?
Are there any other characters that will need special pre-processing?
 
J

Jukka K. Korpela

I have an application that takes some user input and then at a later
date displays that in a hover over pop up.
Click to expand...

This would be much easier to analyze if the URL of an online version had
been included.
The basic application when it gets a mouse enter event takes that
user input and passes it to the jquery like this:

ExecuteJavaScript("new Tip('"+_
Click to expand...

This sounds like a complicated and risky way of doing something fairly
simple. Anyway, your problem, in the current approach, is basically a
JavaScript problem, not HTML
There are some strings that really mess this up. If one of the
characters is a " or a ' then the javascript throws an exception.
Click to expand...

Or maybe executes code injected by the intruder, through the huge
security hole that you have built.
Are there any other characters that will need special pre-processing?
Click to expand...

The backslash readily comes into my mind, and then all the line terminators.
 
S

SpreadTooThin

This would be much easier to analyze if the URL of an online version had
been included.



This sounds like a complicated and risky way of doing something fairly
simple. Anyway, your problem, in the current approach, is basically a
JavaScript problem, not HTML


Or maybe executes code injected by the intruder, through the huge
security hole that you have built.


The backslash readily comes into my mind, and then all the line terminators.
Click to expand...

Right it's like sanatizing data base inputs.... So is there a sanatize
method?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How can i pass the csp on this extension? 2
How to have two html audio players on one page? 0
Multi select options in a menu 1
I want to Display Excel As HTML In js 2
Sort by number of characters 1
How to position the *tooltip* comment on these buttons? 9
Only one table shows up with the information 2
Survey details won't go through using php, ajax, Mysql 0

Members online

No members online now.
Total: 26 (members: 0, guests: 26)
Robots: 339

Forum statistics

Threads
473,755
Messages
2,569,537
Members
45,022
Latest member
MaybelleMa

Latest Threads

Top