Home/ Questions/Q 3316010
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T22:25:07+00:00

I’m using a literal to display some javascript on a product page control. Basically

  • 0

I’m using a literal to display some javascript on a product page control. Basically what I’m doing is in my code behind I’m declaring a new stringbuilder, writing the script while inserting some dynamic variables to populate the script then setting the literal text to the stringbuilder. This leaves me open to xss attacks. What can I do to prevent this?

EDIT. Here is an example of the stringbuilder. when the page gets loaded the xss vulnerability occurs right after the javascript is generated.

System.Text.StringBuilder sb = new System.Text.StringBuilder();
            //loop through items in the collection
            for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++)
            {
                sb.Append("<script type='text/javascript'>");
                //add +1 to each item
                sb.AppendFormat("mboxCreate(\"product_productpage_rec{0}\",", i+1);
                sb.Append("\"entity.id=" + _prodID + "\",");
                sb.Append("\"entity.categoryId=" + _categoryID + "\",");
                sb.Append("\"entity.name=" + _prod.ActiveProductItemCollection[i].Title + "\",");
                sb.Append("\"entity.pageURL=" + Request.Url.ToString() + "\",");
                //The following value has been taken from the productImageControl code behind.
                //Might have to refactor in future as a property of the image control.
                string filename = AppSettingsManager.Current.ProductImagePathLarge + _prod.ActiveProductItemCollection[i].Sku
                    + AppSettingsManager.Current.ProductImageExtension;
                sb.Append("\"entity.thumbnailURL=" + filename + "\",");
                sb.Append("\"entity.inventory=" + _prod.ActiveProductItemCollection.Count + "\",");
                sb.Append("\"entity.value=" + _prod.ActiveProductItemCollection[i].ActualPrice + "\",");
                sb.Append("\"entity.ProductItemID=" + _prod.ActiveProductItemCollection[i].Sku + "\",");
                sb.Append("\"entity.addToCartImg=~/Images/Buttons/btn_AddToCartFlat.gif\");<");
                //The last line has to be /script. < inserted on prev line. do not change it or bad things will happen.            
                sb.Append("/script>");
            }
            this.LiteralMBoxScript.Text = sb.ToString();
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to properly encode any user-generated data that you’re putting into the Javascript.

    In ASP.Net 4.0, you can call HttpUtility.JavaScriptStringEncode.
    In earlier versions, you can use the Web Protection Library.

    • 0