Embed Size (px)
Citation preview
HTML and JS Escaping HowTo
What is escaping ?Escaping is a way to differentiate between characters used
as part of syntax of a language and data.
Eg:
Java: String name="My name is \"";
Javascript: Var name= "My name is \"";
Html : <input type="text" value="My name is "">
HTML EscapingReserved Characters in HTML
HTML and XHTML processors must support the five special characters listed in the table below:
Character Entity Number Entity Name Description
" " " quotation mark
' ' ' apostrophe
& & & ampersand
< < < less-than
> > > greater-than
<!ENTITY amp CDATA "&" -- ampersand, U+0026 ISOnum -->
Javascript Escapingin Javascript you can use single quote(') or double quote as
delimiter for strings .
So If you have either double quote or single quote in the value it should be escaped as follows
var iAmSingleQuote='\'';
var iAmDoubleQuote="\"";
HTML & JS EscapingIn case we need Both javascript HTML escaping do javascript escaping
first and then do HTML Escaping
Original
--------------
<input type ='submit' onClick='message("You can enter single quote(') and double quote(")");'/>
Corrected with HTML and Javascript escaping
----------------------------------------------------------------
<input type ='submit' onClick='message("You can enter single(\') and double(\") quotes");'/>
URL EncodingWhy :RFC 1738: Uniform Resource Locators (URL) specification
The specification for URLs (RFC 1738, Dec. '94) limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set:
"...Only alphanumerics [0-9a-zA-Z], the special characters "$-_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL."
• URL encoding of a character consists of a "%" symbol, followed by the two-digit hexadecimal representation (case-insensitive) of the ISO-Latin code point for the character.
• Eg :
Use the javascript method encodeURIComponent() to encode all parameter values in URLs and encodeURI() to encode the whole URL.
escape() method in javascript is deprecated and shouldn't be used.
Recommendation: HTML Escaping
Use standard tag libraries like JSTL and Spring Tags.They handle escaping by default.They have boolean attributes related to escaping which are by default true.
Eg : Spring form tag
<form:input disabled="${!canModify}" path="county" htmlEscape =“true” />
JSTL out tag
<c:out value="${errorMessage}“escapeXml =“true”/>
Recommendation: Javascript Escaping• Get values from the Dom as much as
possible and avoid assigning values from server side
Reference
http://xkr.us/articles/javascript/encode-compare/#ref-js-ns
http://www.permadi.com/tutorial/urlEncoding/
http://www.blooberry.com/indexdot/html/topics/urlencoding.htm
http://www.w3.org/TR/REC-html40/sgml/entities.html
