[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Question about escaping strings in javascript
- From: Evert | Collab <evert@xxxxxxxxx>
- Subject: [WEB SECURITY] Question about escaping strings in javascript
- Date: Fri, 30 May 2008 17:07:42 -0400
Dear list,
Looking at : http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript
, they present a list of characters that should always be escaped in
Javascript. This brings me to a few questions, which I hope some of
the smart people on this list can answer.
1. Does this PHP function do its job for escaping javascript:
static function javascript($string) {
$replace = array(
"\t" => '\t',
"\n" => '\n',
"\r" => '\r',
"\x85" => '\u0085',
"\x20\x28" => '\u2028',
"\x20\x29" => '\u2029',
"'" => '\x27',
'"' => '\x22',
'\\' => '\\\\',
'&' => '\x26',
'<' => '\x3c',
'>' => '\x3e',
'=' => '\x3d',
);
return
str_replace(array_keys($replace),array_values($replace),$string);
}
2. Does the latter function only work with the output encoding is
UTF-8, or would it still be applicable to ISO-8859-1. I realize this
probably isn't usable for UTF-7.
3. PHP's built-in function addslashes() only escapes the single quote,
double quote and null character. Is this not sufficient?
4. Assuming question #3 is true, how can \u2028 (line separator),
\u2029 (paragraph separator) and \u0085 (next line) be used in an
exploit?
Thanks a lot for your answers, I'm intending to write a article on
this subject on www.rooftopsolutions.nl, but I want to make sure I got
my facts straight.
Evert
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|