8

I have a MVC3 HtmlHelper extension like this:

public static MvcHtmlString ShowInfoBar(this HtmlHelper helper, string message, InfoMessageType messageType)
    {
        return MvcHtmlString.Create(String.Format(@"<script type=""text/javascript"">$(document).ready(function () { gtg.core.showInfoBar('{0}', '{1}'}; );</script>", message, messageType.ToString().ToLower()));
    }

The value of message is "The product "Product Name" was saved successfully."

The value of messageType is info.

It keeps saying Input string was not in the correct format.

I am stuck??

Improve this question
1
  • 1
    Is there an error if you just enter the string without using the String.Format() method on it? Commented Aug 17, 2011 at 17:55

5 Answers 5

Reset to default
21

On every brace that isn't a token you must double - so

function() {{

Etc

Also - consider XSS here - is message escaped correctly for inserting into JavaScript?

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

Could you point me somewhere to learn about this a little more? Thanks!
Which, XSS? Anywhere. Wikipedia would be a start. All you'd need is a ' message " with ' quotes " in to test it (although full escaping is more than just quotes)
Excellent mention of whether the method parameter is escaped for JavaScript correctly.
@Sam right; so currently it is broken. Now imagine that I carefully created a product name like '); stealYourCookiesAndPostThemSomewhere(); // - and I've hacked your login - hence XSS. The simplest option is to write the data to a hidden element somewhere and read it out. Another option is to use something like JavascriptSerializer to write JSON (which will then be escaped). A plain JSON escape would be welcome, too.
@Sam it all depends on context of course - you could argue that simply not being able to correctly handle O'Neills' biscuits is enough of a bug. But also don't underestimate the amount of evil committed internally to an organisation (especially shortly after a bad pay review, etc) - it isn't just the unwashed public that are capable of doing harm.
|
10

Escape your squiggly brackets {{ }} in the format string

String.Format(@"<script type=""text/javascript"">$(document).ready(function () {{ gtg.core.showInfoBar('{0}', '{1}'); }});</script>", message, messageType.ToString().ToLower())
Improve this answer

Comments

5

You need to escape the curly braces:

{{ and }}

String.Format(@"<script type=""text/javascript"">$(document).ready(function () {{ gtg.core.showInfoBar('{0}', '{1}'}}; );</script>", 
              message, messageType.ToString().ToLower())
Improve this answer

Comments

1

In my case I used the bracket for JsonP formatting. JsonP requires a '{' too. By escaping the { like this: '{{', my problem was solved.

Improve this answer

Comments

0

I have tried as below, and its working.

string.Format(@"ExecuteOrDelayUntilScriptLoaded(function () {{ Your function.
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.