sp9
Reputation: 755
EncodeUri Function in JavaScript
I am generating a search output based on a user query and generating search result pages like this
location.href = root_url + "SearchCenter/Pages/internal.aspx" + "?q=" + st
I am looking into protecting against XSS attacks.
I am using encodeURI to protect against the attack with
encodeURI("http://Server.com/SearchCenter/Pages/internal.aspx?q=<script>alert('dd')</script>)"
which outputs
http://server.com/SearchCenter/Pages/internal.aspx?q=%3Cscript%3Ealert('dd')%3C/script%3E)
Now what if instead of tag they enter JavaScript:Alert('dd') which encodeURI would not protect against.
So my question is that is there any JS library or function that I can use to protect against URL XSS attacks.
Upvotes: 0
Views: 91
Answers (1)
Koen Peters
Reputation: 12916
You should solve this server side. Never trust the client so whatever it sends should be vetted on the server before being rendered in the HTML. So accept whatever they send and use a server component to make sure that whatever gets outputted is safe.
Upvotes: 3
Related Questions
- javascript encodeURI() output
- Encode GET value in Javascript
- How to encode text using jquery?
- reverse function to encodeURI()
- Encoding elements with jQuery
- How to encode javascript function
- Javascript encode function and unicode
- HTML Encode String
- How to simply encode and decode a string variable
- Encode text to JavaScript function