0

I don't have to HTML encode the string. I was trying various solutions, but the problem is still, how do you handle the semicolon entered by the user if you need to do a JS str.indexOf(";"); later on. I’m using System.Net.WebUtility.HtmlEncode(test); encode my string,which adds semicolons (as you would expect for html encoding).

Later down the process this string gets utilized to create JavaScript commands that end with ';'. These commands are separated by doing a str.indexOf(";");

My issue is that the user is allowed to enter semi-colon in the field,which breaks the aforementioned indexof(";"), which I use to dynamically create the JavaScript commands.

How can I support users entering in semicolons into a string if I need to do a JS indexof(";") to separate the JS commands?

I tried in the C# side doing a 

string myString = System.Net.WebUtility.HtmlEncode(test);

but that just makes the situation worse by adding even more semicolons as you would expect for HTML enconding.

ConfusedDeer
  • 3,335
  • 8
  • 44
  • 72
  • Why are you HTML-encoding the string? – Pointy Jan 26 '16 at 16:28
  • I don't have to HTML encode the string. I was trying various solutions, but still the problem is still, how do you handle the semicolon entered by the user if you need to do a JS `str.indexOf(";");` later on. – ConfusedDeer Jan 26 '16 at 16:29
  • Well, in general if you're trying to recognize JavaScript code, the only solid solution is to use a real JavaScript parser. – Pointy Jan 26 '16 at 16:38
  • @Pointy I think I might have found a solution using URL-encoding, which encodes the semicolon. I may be able to encode the semicolon before it gets placed in the string that holds the dynamically created JS code with the non URL-encoded semicolon. – ConfusedDeer Jan 26 '16 at 16:44

1 Answers1

0

The solution I came up with was to do a replace on the the C# side. In C# I do a .Replace of all % and (other problematic characters) with their URL encoded string versions before the JavaScript command ending ";" gets inserted(i.e. myString.Replace(";","%3B").Replace("=","%3D");).

Once it hits the JavaScript side I do the complete opposite, thus leaving my JS semicolons intact.

The aforementioned solution allowed me to distinguish between a user inserted semicolon and one entered in programmatically.

ConfusedDeer
  • 3,335
  • 8
  • 44
  • 72