0

What is the difference between JavaScript encoding and URL encoding. I am not able to figure out exact difference between them. Also that are following types of encoding are called

  1. %HH

  2. \u00HH

  3. &#HH;

  4. \\

  5. \HH

Any more encoding schemes used in Web technologies?

Improve this question
4
  • Where did you get the term, "JavaScript encoding"? Do you mean JSON? Commented Feb 19, 2014 at 15:58
  • @pointy I gave an interview and interviewer was continuously stressing on JavaScript encoding. I thought I do not know about it. Commented Feb 19, 2014 at 16:03
  • @Bergi not completely. Commented Feb 19, 2014 at 16:05
  • @Pointy It is another term for JavaScript escaping. Not JSON itself, but a subset (by that I mean used per string literal). e.g. changing " to \x22 Commented Feb 19, 2014 at 18:47

1 Answer 1

Reset to default
1

%HH

Percent encoding as used in URIs.

\u00HH

Unicode escape sequence. For JavaScript specific things, read the spec on String literals.

&#HH;

HTML entity, or numeric character reference.

\\

Could be anything. Usually escaping the backslash when the backslash is used for escaping things.

\HH

Maybe you're referring to a named escape sequence here. See escape sequences in C-based languages

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

If I escape all the data using &#HH; or %HH encoding, will I be completely safeguarded for XSS attack?
@Gaurav: No. URI encoding should not play a role in XSS. Escaping strings in the HTML is definitely good practice, but there are still XSS attacks that can work around that.
<img src="#" onmouseover="<?php echo htmlspecialchars($_GET['xss']); ?>"> is vulnerable to alert(1) string. What encoding is suggested? There are more such cases.
onmouseover does expect a js expression, so I'm not sure what you want. You might consider something like <img src="#" onmouseover="<?php echo htmlspecialchars("alert(".json_encode($_GET['xss']).");"); ?>">
Does json_encode only gives wrapper on double quotation? Also is it available in all web development languages?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.