I am reading the doc of owasp-java-encoder, it says that forJavaScriptBlock performs the same encode as forJavaScript with the exception that " and ' are encoded as \" and \' respectively. I don't understand why ' is encoded as \x27 in forJavaScript but endocded as \' in forJavaScriptBlock. What is the difference between \' and \x27?
Asked
Active
Viewed 1,905 times
-1
hc ch
- 137
- 1
- 7
1 Answers
1
The documentation for forJavaScript says:
Encodes for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source.
Since an HTML attribute can be delimited with ' characters, the content cannot include any ' characters. They have to be represented a different way.
forJavaScriptSource, on the other hand, says:
This method encodes for JavaScript strings contained within HTML script blocks. It is NOT safe for use in script attributes (such as onclick). The caller must provide the surrounding quotation characters. This method performs the same encode as forJavaScript(String) with the exception that
"and'are encoded as\"and\'respectively.Unless you are interested in saving a few bytes of output or are writing a framework on top of this library, it is recommend that you use forJavaScript(String) over this method.
Quentin
- 914,110
- 126
- 1,211
- 1,335
-
Got it.i did't realize that `ClickMe` would not give us a popup window before you give this answer.Thank you very much. – hc ch Nov 03 '17 at 09:12