Cross-site scripting in Classic ASP when writing javascript

In a server-side Classic ASP file, let's say you receive a Request string containing malicious javascript like, "alert('HACKED');"

DIM foo : foo = Request.Form("foo"); 'Contains malicious javascript

开发者_开发问答

and then later we're writing javascript to screen containing that value.

%>
<script type="text/javascript">
   // some code
   <%=foo %>
   // some more code
</script>
<%

What do we do here keep ourselves safe against this form of cross-site scripting?

---

Always remember: "Filter your input, and escape your output"

You filter data for safe storage in a database (to prevent SQL Injection), and you escape data before presenting it to the user (to prevent XSS)

Try ASP's HTMLEncode() method.