-3

Imagine a user inputs the following into a form:

I'd like to "eat" something.

The phrase contains both a single ' and two "'s. If I were to write this direcly as a JS string I'd have to escape the ' to prevent my string from terminating early:

var phrase = 'I\'d like to "eat" something'

What is the behavior of the browser when a user (or potentially malicious actor) inputs a ' or " into a form and saves it to a var? Will the characters be automatically escaped?

EDIT 16/04/14: Reworded the question.

Yoshua Wuyts
  • 3,926
  • 1
  • 20
  • 16
  • 6
    Perhaps. Try. It. Out? – PeeHaa May 15 '14 at 21:16
  • you only have to escape it when writing the string in a script file. For instance try console.log('I\'d like to "eat" something') in your favorite browser's console – Nick May 15 '14 at 21:19
  • 3
    @YoshuaWuyts Considering that you just typed all those characters into a form in order to type this question, and then posted it, obviously it is not catastrophic. – Chris Baker May 15 '14 at 21:23
  • If you're writing in _HTML_, escape for _HTML_. If you're writing in _JavaScript_, escape for _JavaScript_. If you're writing in _SQL_, escape for _SQL_. If you're writing for many of these at once, escape them for the order they'll be interpreted. If you're just typing into a _control_ and there is no interpreting going on, there is no escaping required. – Paul S. May 15 '14 at 21:30
  • @Chris, I realize that. However I'm curious to how the browser handles saving input to a variable in light of possible XSS attacks. – Yoshua Wuyts May 16 '14 at 16:17
  • @PaulS. Could you give an example of how to escape for JS? There's no built-in function to do that. – Yoshua Wuyts May 16 '14 at 16:20
  • @YoshuaWuyts I don't understand; why would _JavaScript_ have a function to escape quotes for _JavaScript_? By then it would already be too late. Additionally, don't use the evil `eval` or variants thereof – Paul S. May 16 '14 at 16:22

2 Answers2

1

It runs whatever internal code is needed to display the typed data in the UI.

If you access the data via JS and the DOM, then it will give you a data structure (a string) with those characters represented in the data.

If you submit a form, it will encode the data (according to the encoding specified by the enctype attribute on the form element), and put it in an HTTP request.

You need to worry about escaping characters with special meaning when you write code because some characters have special meaning in code.

User input doesn't have special meaning unless you start treating it as code (e.g. by evaling it, or mixing it with other code (such as SQL or HTML) and putting it somewhere where that code will be parsed (such as sending it to a database server or putting it in an HTTP response)).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
0

Inputting it as the user in the form is not a problem. It will be automatically encoded by the browser when it is send to the server. A problem would be to have have a default value in the HTML source code like this:

<input type="text" value="I&#39;d like to &quot;eat&quot; something"/>

Those values would have to be encoded for it to not break the HTML.

Koen Peters
  • 12,798
  • 6
  • 36
  • 59