Escape all characters that need to be escaped

Question

I am using a modal window in my asp.net application. On clicking a button I do some serverside processing and then use cs.RegisterStartupScript to close the window and return a value to the parent window. To do that I use RegisterStartupScript to run window.close.

Now the problem i am having is that I want to send a return value (a string) to the parent. But since the string is a user entered text that can have any characters, I need to escape all of them. Without that I am unable to send the return value to the parent.

This is my script that causes failure (error message : unterminated string constant DO you want to continue running scripts on this page?)

  StringBuilder saveScript = new StringBuilder();
    saveScript.Append("var template = new Object();");
    saveScript.AppendFormat("template.DescriptionPlainText = \"{0}\";",description);
    saveScript.Append("window.returnValue = template;");
    saveScript.Append("window.close();");
    cs.RegisterStartupScript(typeof(myPageType), scriptName, saveScript.ToString(), true);

description is a string.

However this succeeds

StringBuilder saveScript = new StringBuilder();
saveScript.Append("var template = new Object();");
saveScript.AppendFormat("template.DescriptionPlainText = \"{0}\";","xx");
saveScript.Append("window.returnValue = template;");
saveScript.Append("window.close();");
cs.RegisterStartupScript(typeof(myPageType), scriptName, saveScript.ToString(), true);

Answer 1

Consider using AntiXss library for encoding text for Html/JavaScript consumption. Check out older article on AntiXss with some more guidance.

 AntiXss.JavaScriptEncode("r'\"a&<>dom!");

Answer 2

If you escape your user input description for Javascript use, then it should work fine.

See here: Escape Quote in C# for javascript consumption