How to avoid cross script attack to a data passed as javascript in ASP.NET?

Question

0.00/5 (No votes)

See more:

I want to avoid cross script attack to a data passed as javascript in asp.net with c#. I am passing data in javascript where label data passed to the input html controls where data manipulation is being done from the pop up screen/window

document.getElementById('ctl00_cphDDS_lblSelectedOriginator').innerHtml = dialogWindow.CompanyName;

What I have tried:

Passing javascript function as below:

<pre>function showModalWindowForUtilityOIC_PAUT(cntrl) {
    if (SessionTimeOutRedirection()) {
        
        var Bank = document.getElementById('ctl00_cphDDS_ddlBankType').value;
        var dialogWindow = window.showModalDialog('ViewOIC.aspx?Bank=' + Bank + '&&Type=U&&InstructionCode=' + cntrl, 'mywindow', 'dialogWidth:875px; dialogHeight:400px; center:yes; status = no; toolbar = no; menubar = no');
        if (dialogWindow != null) {
          
            //Updated on 10.06.2019 for Cross Side Script Attack Start
            document.getElementById('ctl00_cphDDS_lblSelectedOriginator').innerHTML = dialogWindow.CompanyName;
          
            
        }
        return true;
    }
}

Posted 13-Jun-19 22:00pm

ranio

Updated 13-Jun-19 22:12pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

F-ES Sitecore · Answer 1 · 2019-06-13T22:12:00

Solution 1

You need to html encode the text when setting it to innerHTML. I'm not sure javascript has a built-in function to do this, but there is sample code on how to do it if you google

HTML Encode and Decode with Javascript - Strictly Software[^]

Posted 13-Jun-19 22:12pm

F-ES Sitecore

Comments

ranio 14-Jun-19 4:59am

what about using innerText instead of innerHtml
document.getElementById('ctl00_cphDDS_lblSelectedOriginator').innerText = dialogWindow.CompanyName;

F-ES Sitecore 14-Jun-19 5:08am

Try it and see