Preventing cross-site scripting in ASP.NET MVC - using jQuery or standard HtmlHelpers

I am building an ASP.NET MVC application that is AJAX-driven. For some reason I need to add some DOM elements on the fly when clicking a submit button. This is accomplished with jQuery.append().

One element inserted is a textarea, whose the data must be parse before submitting to ensure that no cross-site scripting can be done.

We know that the Html.Encode() works great but 开发者_如何学Gomust be declared outside a script tag. All I have done with jQuery is embedded within a script tag.

1) Is there a way to take advantage of the Html.Encode() within a script tag?

2) How can I accomplish this with jQuery?

At worst I can use HttpUtility.HtmlEncode(), which is called on the server-side.

Thanks for your help.

Roland

---

If you are trying to protect agains cross-site scripting, you should be doing it on the server anyway, as client side validation can be easily bypassed.

---

As I understand the data that you're injecting is received using some client-side call, not while the page is built on the server side. In this case you could replace $(dest).append(data); with $(dest).append($('<div>').text(data)); Using .text vs .html will already sanitise the string..

Whatever you do I REALLY recommend watching this video by Phil Haack and Scott Hanselman http://live.visitmix.com/MIX10/Sessions/FT05. They show different ways of hacking a site using XSS and CSRS, and ways to protect yourself - exactly what you need :)

---

What version of MVC are you using? Not sure I understand the complete context so I'm going to try to cover it from many angles (for the scenarios I can think of, sure there are more). With MVC 2, you have new support for this: <%: Model.FirstName %> to encode data, which is the equivalence of <%= Html.Encode(Model.FirstName) %> as in MVC 1.

You should be able to do that in JS within the view, as in :

<script type="text/javascript">
   $(document).ready(function() { $("#this").html('<%= "Some HTML to write" %>');
</script>

I thought I had done that... if not a few alternatives left. There is a client-side encode with the JS escape and unescape, but it encodes/decodes it in a different way than the server does... try it out to see for yourself, will replace spaces with %20 and other alterations too.

Lastly, JQuery can make a call to the server action method using $.get("/controller/action", function(data) { /* data here */ }, which you can encode using that, but that's highly inefficient.

HTH.

---

You could use the ASP.NET built in utility

var message = 'Welcome, @Ajax.JavaScriptStringEncode(ViewBag.UserName)!';

or you could use the Anti XSS Library

var message = 'Welcome, @Encoder.JavaScriptEncode(ViewBag.UserName, false)!';

http://weblogs.asp.net/jgalloway/archive/2011/04/28/preventing-javascript-encoding-xss-attacks-in-asp-net-mvc.aspx