1 / 9

HTML and JS Escaping HowTo

HTML and JS Escaping HowTo. What is escaping ?. Escaping is a way to differentiate between characters used as part of syntax of a language and data. Eg : Java : String name="My name is ""; Javascript: Var name= "My name is "";

dorian-yang
Download Presentation

HTML and JS Escaping HowTo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HTML and JS Escaping HowTo

  2. What is escaping ? Escaping is a way to differentiate between characters used as part of syntax of a language and data. Eg: Java: String name="My name is \""; Javascript: Var name= "My name is \""; Html : <input type="text" value="My name is &quot;">

  3. HTML Escaping Reserved Characters in HTML HTML and XHTML processors must support the five special characters listed in the table below: Character Entity Number Entity Name Description " &#34; &quot; quotation mark ' &#39; &apos; apostrophe & &#38; &amp; ampersand < &#60; &lt; less-than > &#62; &gt; greater-than <!ENTITY amp CDATA "&#38;" -- ampersand, U+0026 ISOnum -->

  4. Javascript Escaping in Javascript you can use single quote(') or double quote as delimiter for strings . So If you have either double quote or single quote in the value it should be escaped as follows var iAmSingleQuote='\''; var iAmDoubleQuote="\"";

  5. HTML & JS Escaping In case we need Both javascript HTML escaping do javascript escaping first and then do HTML Escaping Original -------------- <input type ='submit' onClick='message("You can enter single quote(') and double quote(")");'/> Corrected with HTML and Javascript escaping ---------------------------------------------------------------- <input type ='submit' onClick='message("You can enter single(\&#39;) and double(\&quot;) quotes");'/>

  6. URL Encoding Why :RFC 1738: Uniform Resource Locators (URL) specification The specification for URLs (RFC 1738, Dec. '94) limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set: "...Only alphanumerics [0-9a-zA-Z], the special characters "$-_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL." • URL encoding of a character consists of a "%" symbol, followed by the two-digit hexadecimal representation (case-insensitive) of the ISO-Latin code point for the character. • Eg : Use the javascript method encodeURIComponent() to encode all parameter values in URLs and encodeURI() to encode the whole URL. escape() method in javascript is deprecated and shouldn't be used.

  7. Recommendation: HTML Escaping Use standard tag libraries like JSTL and Spring Tags.They handle escaping by default.They have boolean attributes related to escaping which are by default true. Eg : Spring form tag <form:input disabled="${!canModify}" path="county" htmlEscape=“true” /> JSTL out tag <c:out value="${errorMessage}“escapeXml=“true”/>

  8. Recommendation: Javascript Escaping Get values from the Dom as much as possible and avoid assigning values from server side

  9. Reference http://xkr.us/articles/javascript/encode-compare/#ref-js-ns http://www.permadi.com/tutorial/urlEncoding/ http://www.blooberry.com/indexdot/html/topics/urlencoding.htm http://www.w3.org/TR/REC-html40/sgml/entities.html

More Related