HTML Encoded strings recognized by the javascript engine, how's it possible?

Well. This night was a very strange night to me. I am sorry to create a new question after creating two other questions previously, but this is another argument at all. If I get an answer here, I’ll get an answer to those questions too so please somebody listen to me and try to understand.

It all began with a simple script JS to be generated through an aspx codebehind file.
On a control, I had to put a JavaScript in this way:

this.MyTxtBox.Attributes["onfocus"] = "windows.alert('Hello World!');";

OK. You might think, where’s the problem? The problem is that ASP.NET 4.0 encodes everything, and I say everything in order to avoid XSS to be performed on a site. Well this might not seem a problem but if you look at the rendered page you’ll make a jump on the chair like I did:

<textarea id="..." onfocus="windows.alert(&#39;Hello World!&#39;);"></textarea>

As you can see the html, the final html is a bit odd… JavaScript engine should not accept this situation.
So I started this questions:

ASP.NET quote character encoding causes problems when setting a control's property

Asp.Net encoding configuration

Well I still haven’t got any answer YES we could not understand what the hell it is necessary to modify in the .net configuration in order not to let this situation happen.

But now I consider one thing, one important thing: JavaScript engine works!
Even with that odd code that should not be interpreted…

I hope everything was clear until now… The question now comes:

Is this a normal situation for the JavaScript engine?
Does every browser will correctly interpret a JavaScript having quotes replaced with their encoded strings?

If this is true I have to suppose that the .net does not provide a mechanism to avoid encoding just for this reason!

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

Re:

<textarea id="..." onfocus="windows.alert(&#39;Hello World!&#39;);"></textarea>

There’s nothing odd about that (other than your using windows.alert instead of window.alert). It should work fine (and does; example). The HTML parser parses HTML attribute values, and handles processing entities like &#39;. The JavaScript source code it eventually hands to the JavaScript interpreter will have quotes in it. The browser doesn’t hand the literal characters & # 3 9 ; to the JavaScript interpreter.

It’s just the same as:

<input type='text' value="This is a &#39;funny&#39; value too">

The HTML parser processes the entities, and the actual value assigned to the input is This is a "funny" value too.

Incidentally, this is also why this seemingly-innocent HTML is actually wrong and will fail validation (although most browsers will allow it):

<a href='http://www.google.com/search?q=foo&hl=en'>Search for foo</a>

More correctly, that should be:

<a href='http://www.google.com/search?q=foo&amp;hl=en'>Search for foo</a>
<!--                                       ^^^^^--- difference here   -->

…because the HTML parser parses the value, then assigns the parsed result to the href attribute. And of course, an & introduces a character entity and so to literally get an & you must use &amp; everywhere in HTML. (Again, most browsers will let you get away with it if what follows the & doesn’t look like an entity. But that can and will bite you.)

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply