Preventing Cross Site Scripting

[Qaurk Noble]

Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in
IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.

 

[Martin Honnen]

Can anyone help?

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in
IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.

Well, you need to use server side scripting anyway or otherwise someone
could disable JavaScript or set up his own form with out the encoding.
Thus if you have ASP on the server then simply use that, don't bother
with client-side encoding.

 

[Qaurk Noble]

Thanks for replying Martin

I agree entirely about do the encoding on the server side. The biggest
challenge I face at the moment is that this project is using JSP and I am
new to java. I have not yet located a JSP equivalent of ASP's
Server.HTMLEncode.

 

[Fox]

Thanks for replying Martin

I agree entirely about do the encoding on the server side. The biggest
challenge I face at the moment is that this project is using JSP and I am
new to java. I have not yet located a JSP equivalent of ASP's
Server.HTMLEncode.

In JS, you can use escape(string) and unescape(string);

if you want to strip out html inputted by the user:

 

[Dr John Stockton]

JRS: In article <[email protected]>, seen in

if you want to strip out html inputted by the user:

string.replace(/(<([^>]+)>)/g,""); // before escaping

That can change non-HTML text :

Try S = "J'appelle mon petit chien <<Idefix>>"
or S = "This works : if (X<12) and (Y>3) then Write('Ooh!') ;"
then S.replace(/(<([^>]+)>)/g,"");