[WEB SECURITY] Question about escaping strings in javascript

Evert | Collab evert at collab.nl
Fri May 30 17:07:42 EDT 2008


Dear list,

Looking at : http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript 
, they present a list of characters that should always be escaped in  
Javascript. This brings me to a few questions, which I hope some of  
the smart people on this list can answer.

1. Does this PHP function do its job for escaping javascript:

        static function javascript($string) {

             $replace = array(
                 "\t"       => '\t',
                 "\n"       => '\n',
                 "\r"       => '\r',
                 "\x85"     => '\u0085',
                 "\x20\x28" => '\u2028',
                 "\x20\x29" => '\u2029',
                 "'"        => '\x27',
                 '"'        => '\x22',
                 '\\'       => '\\\\',
                 '&'        => '\x26',
                 '<'        => '\x3c',
                 '>'        => '\x3e',
                 '='        => '\x3d',
             );
             return  
str_replace(array_keys($replace),array_values($replace),$string);

         }


2. Does the latter function only work with the output encoding is  
UTF-8, or would it still be applicable to ISO-8859-1. I realize this  
probably isn't usable for UTF-7.
3. PHP's built-in function addslashes() only escapes the single quote,  
double quote and null character. Is this not sufficient?
4. Assuming question #3 is true, how can \u2028  (line separator),  
\u2029 (paragraph separator) and \u0085 (next line) be used in an  
exploit?

Thanks a lot for your answers, I'm intending to write a article on  
this subject on www.rooftopsolutions.nl, but I want to make sure I got  
my facts straight.

Evert

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list