1

I need HTML ENCODE in JavaScript (client side) a String (where User could insert HTML TAGS) from a TextBox so bypassing Reqeust.Validation.

Javascript should Encode string and Display it Encoded in Label.

       <asp:TextBox ID="uxValueInput" runat="server"></asp:TextBox>
       <br />
       <asp:Label ID="uxResultEncoded" runat="server" Text="Label"></asp:Label>
       <asp:Button ID="uxEncodeButton" runat="server" Text="Button" />

I am new in JavaScript and I have tried different scripts on a web but with no success. Could you please post a really simple example so I would be able to understand how could work. Thanks!

Improve this question
3
  • 2
    Don't. If you need it encoded in a consistent way, then do it on the server where you have complete control over it. ASP.NET isn't bad enough to prevent you doing that, surely? Commented Jan 3, 2011 at 11:24
  • Sorry guys I need HTML ENCODE a string! Commented Jan 3, 2011 at 11:27
  • To David. I need by pass Request.Validation for ASP.NET I cannot disable it at Page Level. Let me know if you have any idea thanks! Commented Jan 3, 2011 at 11:28

1 Answer 1

Reset to default
3

I'm with David Dorland: Don't do this client-side, instead disable request validation (here's an article saying how). But if you do that, be sure you also use Anti-XSS or similar libraries to prevent exactly what it is that ASP.Net is trying to protect you from.

However, if you have a genuine use-case for doing minimal HTML-encoding on the client, you can do this:

var escapes = {
    '<': '&lt;',
    '>': '&gt;',
    '&': '&amp;'
};
var raw = "Hi, I'm an <scr" + "ipt src='http://evil.example.com/attack.js'><\/script> evil & malicious attack.";
var encoded = raw.replace(/[<>&]/g, function(m) {
    return escapes[m];
});

Live example

Here's how that works:

  1. We have a map called escapes which maps the raw character to the HTML entity for it (so maps < to &lt;, etc.).
  2. Our raw string has a malicious script.
  3. We use String#replace and a regular expression to search for all <, >, and & characters and replace them with their equivalent entity. When you pass a function into String#replace as the second argument, it gets called for each match and uses the return value as the replacement. The regex, /[<>&]/g, means "find <, >, or & globally (the g flag) within the string".
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks T.J. but I CANNOT disable request validation and I need ENCODE HTML with Javascript. Do you know how to do it? It should be pretty easy.. but I never done any Javascript so i need your help :-)
@GIbboK: Just added a very basic example.
@GIbboK: No worries, I just added an explanation as well. But again, do look at that article in hopes that you can do this another way. It offers a code-level solution, not machine.config solution. Best,

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.