1

I load lot of JavaScript From My DB for validation and for Costume Validation which can be Uploaded through My Customer so i want to validate whether the given Javscript is valid or Not While Rendering it on my page i am using MVC 3.0 razer view engine

Please help me finding a way fix it

Thanks Ashies

Improve this question
4
  • It's difficult to answer your question as the English is quite bad. Can you re-write it? Commented Jan 4, 2013 at 10:23
  • 2
    Letting your users upload JavaScript that you then execute is a terrible idea. Commented Jan 4, 2013 at 10:23
  • @AnthonyGrist I'm not sure but I think the OP is saying that the javascript is stored in the DB and the customer can choose to use it - but then again!! Commented Jan 4, 2013 at 10:42
  • @amelvin Possibly, though if he had full control over the JavaScript code he wouldn't have to validate it every time. Commented Jan 4, 2013 at 10:44

3 Answers 3

Reset to default
1

Your task is simply not recommended. Render JavaScript code directly from the database is dangerous because you are leaving the doors wide open to XSS attacks.

However, yes, you can validate JSCode normally with JSLint.

There is a plugin for visual studio, and of course there might be a way to use the functionality packed in the JSLint DLL so you can check your JavaScript.

This two posts might put you in the "right" direction. (I still have to say that rendering user entered JS code is fundamentally wrong)

http://www.codeproject.com/Articles/21438/JSLint-VS-JavaScript-Verifier-for-Visual-Studio

http://blog.outsharked.com/2011/08/sharplinter-command-line-tool-for.html

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

I assume that you are working with Visual Studio 2010/2012.

As Adrian Salazar said:

Your task is simply not recommended. Render JavaScript code directly from the database is dangerous because you are leaving the doors wide open to XSS attacks.

That being said I would highly recommend rethinking your current design. If you're planning on doing so, you should have a look at Web Essentials which is a plugin available from NuGet. This has JSHint integrated which will check your Javascript after saving a file or on building your application within Visual Studio.

Also downloadable as installer:

http://visualstudiogallery.msdn.microsoft.com/6ed4c78f-a23e-49ad-b5fd-369af0c2107f

or for 2012:

http://visualstudiogallery.msdn.microsoft.com/07d54d12-7133-4e15-becb-6f451ea3bea6

Improve this answer

Comments

0

Javascript syntax checking is tricky because there is so much scope for generating silent run-time errors based on how primitive are handled (for example).

There are verifiers like JSLint available and you can build your own techniques for verification.

I use the following structure for javasript files (using jquery) setting a class ("scriptVerified") on the body tag if the script completely runs - which can quickly tell you if the script looks syntactically OK. But event handlers can still go wrong when the event is fired.

@AdiranSalazar's security warning is worth listening to.

$(document).ready(function () {
    pageScript.Init();
});

var pageScript =
{
    Init: function()
    {
        pageScript.CleanUp();
        pageScript.RegisterHandlers();
        pageScript.Start();
        pageScript.Final();
    },

    CleanUp: function()
    {
        //put page cleanup stuff in here
    },

    RegisterHandlers: function()
    {
        //register event handlers in here
    },

    Start: function()
    {
        //put page js code in here
    },

    Final: function () {
        $("body").addClass("scriptVerified"); //add class to body to say this has run
    }
};
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.