I've been using Microsoft's AntiXss Library and was wondering if there is a good reason why its JavaScriptEncode method wraps the result in single quotes? That behavior seems unconventional.
Asked
Active
Viewed 3,181 times
5
Dylan Corriveau
- 2,561
- 4
- 29
- 36
Josef Pfleger
- 74,165
- 16
- 97
- 99
2 Answers
5
Actually the new 3.0beta version has a flag JavaScriptEncode(string input, bool flagforQuote). Setting it to false, yields a result without quotes.
Erlend
- 4,336
- 22
- 25
1
Probably to make sure it is returning a string. The usage I've seen is to take input and return a value that you can assign to a variable in javascript.
var message=<%=AntiXss.JavaScriptEncode(message)%>;
Now, no matter what was in message, the js variable message will have the exact input escaped appropriately so if some jerk tried to inject javascript into that message they'd just see the result of their message being assigned to the message variable.
D. Patrick
- 2,894
- 26
- 37
-
1Right. But more often I find myself using JavaScriptEncode to encode untrusted user input that makes up *parts* of strings and in that scenario it is just annoying to concatenate with ' + ' or remove the quotes manually. I'd also argue that this is not the behavior one would expect as none of the other methods does anything similar (e.g. HtmlAttributeEncode doesn't wrap result in double quotes). – Josef Pfleger May 15 '09 at 15:17
-
2Couldn't agree more. Very annoying indeed – Erlend May 29 '09 at 06:39