nested quotes in javascript

Question

A bit of a noob question here...

I have a javascript function on a list of table rows

<tr onclick="ClosePopup('{ScenarioID}', '{Name}');" />

However, the {Name} value can sometimes contain the character "'" (single quote). At the moment the error Expected: ')' comes up as a result because it is effectivly ending the javascript function early and destroying the syntax.

What is the best way to prohibit the single quotes in {Name} value from effecting the javascript?

Cheers!

Answer 1

Although the security information provided by everyone is very valuable, it was not so relevant to me in this situation as everything in this instance is clientside, security measures are applied when getting the data and rendering the XML. The page is also protected through windows authentication (adminsitration section only) and the web app framework cannot be changed. The answer i was looking for was really quite simple in the end.

<tr onclick='ClosePopup("{ScenarioID}", "{Name}");' />

Answer 2

I would think that you could kill just about any code injection by, for example, replacing

"Hello"

with

String.fromCharCode(72,101,108,108,111)

Answer 3

In support of the prior comment please read the following to gain a better understanding of why the security advice is so important.

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf

Answer 4

You're committing the first mortal sin of insecure web template programming - not escaping the content of the values being rendered into the template. I can almost guarantee you that if you take that approach, your web app will be vulnerable to XSS (cross site scripting) and any third party will be able to run custom javascript in your page, stealing user data and wreaking havoc as they wish.

Check it out. http://en.wikipedia.org/wiki/Cross-site_scripting

The solution is to escape the content. And to do that properly in the javascript, which is also inside html, is a lot more than just putting escape sequences in front of backslashes.

Any decent templating engine out there should provide you a way to escape content as it's written to the template. Your database values can be left as-is, the important part is escaping it at output time. If your template engine or dynamic web app framework doesn't allow for this, change to one that does. :)