xss javascript protection

Question

So i am using the jQuery UI library to open new dialog windows, when the new dialog windows are opened I am passing some parameters like this

<a href="http://www.mysite.com/custompage.html?width=100&height=200&param1=abc&param2=http://www.anothersite.com&param3=custom3">open modal</a>

The site works fine and no issues at all, my custompage.html just picks up those values that were passed and they are being used on the page, something like this:

var a = customfunctionget(param1); var b = customfunctionget(param2)....

I just received a report that we are vulnerable to Cross-Site Scripting attacks by replacing any of the params with something like this:

><script>alert(123)</script><param 

Which I understand correctly what is supposed to happen but on any browser that I try to inject the script the alert is never displayed so the "script/injection" is not being processed, the custompage.html stops working as expected since we need the values to be entered correctly but there is nothing I can do on that respect.

Is there a magic pill that I am missing here? Most of the XSS information that I find does the same thing, try to inject an alert through a tag but other than me denying to display any content if the parameter is not well formed I dont know what else can be done.

Any recommendations, tutorials welcome.

Answer 1

There is encodeURIComponent() function in Javascripts to encode special characters to avoid inserting scripts

Answer 2

One of the easiest things you can encode all <, >, and & characters with <, >, and &, respectively. Whenever a browser sees a <something> it thinks its a dom element. If you encode those characters, the browser will actually display them. This will foil people trying to execute <script>badstuff</script> on your site.

Note that people won't be able to do things like add <b> tags to things if you do this.

The above suggestion is a first step, but is by no means exhaustive.

I just found this, which seems like a good guide.