This question already has answers here:
How do I pass variables and data from PHP to JavaScript?
(19 answers)
Closed 7 years ago.
I have a problem...
I want to send a Javascript-Document-Code with a Mail-function...
The PHP-Code looks like this:
$script = '<script>
vfprintf(handle, format, args)ar hljs=new function(){function k(v){return v.replace(/&/gm,\"&\").replace(/</gm,\" ect...
</script>';
(It would be too log to post it all, 30.000 characters...)
How can I assure, that the Special-Characers (", ', \, //, ...) are escaped? :s
EDIT:
This is not a duplicate of the thread, please read it carefully!
Code in one language which emits code in another language is a notoriously difficult thing when it comes to escaping "special" characters. When that code gets upward of tens of thousands of characters then it makes a lot more sense to store it in another file which would be appropriate for that language. In this case, a .js file.
That file can be maintained as that language and not as just a literal string in PHP. This gives you things like syntax checking, debugging, testing, etc.
If the end result (such as a web page or some other displayed HTML) can simply refer to that file separately, then host the file somewhere and just send a reference to it (such as a script tag in the case of HTML). The end user's system will download the file accordingly.
If the end result needs to have this content directly embedded, then in PHP you'd read the file's contents into a string and emit that. Something like file_get_contents('yourScript.js').
Treat code as code, not as string literals.
Related
This question already has answers here:
UTF-8 all the way through
(13 answers)
How to store other languages (unicode) in cookies and get it back again
(1 answer)
Closed 5 years ago.
I'm building a references generator and I need to keep track of the generated references. To achieve this, I'm currently using Javascript to store a cookie containing the raw data, then a PHP page embedded on the result page takes the cookie and logs it into an HTML page, however, some characters appears like this : �. I really don't know which way to go to solve this (base64 encoding, unicode encoded characters...)
Here's the link to the website : http://louisfelixberthiaume.000webhostapp.com/source_siteweb.php
[It's in french]
I can't give you the link to the HTML page for obvious confidentiality reasons, however I'll provide a screenshot :
Generated references screenshot
I'm writing a server-side function for a framework that will let me inline a Javascript file. It takes the filename as input, and its output would be like this:
<script>
/* contents of Javascript file */
</script>
How do I escape the contents of the Javascript file safely?
I am particularly worried if the file contains something like </script>. If the input Javascript file has syntax errors, I still want it to escape correctly. I also realise that XHTML expects some entities to be encoded, whereas HTML doesn't.
There are a lot of questions similar to this asking about how to escape string literals or JSON. But I want something that can handle the general case, so that I can write a tool for the general case.
(I realise inlining potentially untrusted Javascript isn't the best idea, so no need to spend time discussing that.)
This is a work in progress, let me know if I've missed a corner case!
The answer is different depending on whether you're using XHTML or HTML.
1. XHTML with Content-Type: application/xhtml+xml header
In this case, you can simply XML escape any entities, turning this file:
console.log("Example Javascript file");
console.log(1</script>2/);
console.log("That previous line prints false");
To this:
<script>
console.log("Example Javascript file");
console.log(1</script>2/);
console.log("That previous line prints false");
</script>
Note that if you're using XHTML with a different Content-Type header, then different browsers may behave differently, and I haven't researched it, so I would recommend fixing the Content-Type header.
2. HTML
Unfortunately, I know of no way to escape it properly in this case (without at least parsing the Javascript). Replacing all instances of / with \/ would cause some Javascript to break, including the previous example.
The best that I can recommend is that you search for </script case-insensitively and throw an exception if you find it. If you're only dealing with string literals or JSON, substitute all instances of / with \/.
Some Javascript minifiers might deal with </script in a safe manner perhaps, let me know if you find one.
This question already has answers here:
Alternative to mysql_real_escape_string without connecting to DB
(4 answers)
Closed 8 years ago.
Is there an alternative to mysql_real_escape_string for PHP. I want to remove any javascript or php code entered into the text box.
That's not what mysql_real_escape_string does or did (the functions are now deprecated). An alternative to mysql_real_escape_string is using prepared statements, for example with PDO or MySQLi.
However, that's completely unrelated to stripping Javascript or PHP code from a string - also; it could be relatively hard to identify 'Javascript' or 'PHP'.
The real question here is; why do you wanna strip it? The danger doesn't reside in saving the data, the danger resides in displaying the data. You should never ever execute code entered by the user, be it Javascript or PHP.
As for Javascript, disallowing HTML tags in your output is enough. Look into functions as strip_tags, or even better, htmlspecialchars. Preventing PHP from execution is even easier; just do not use the method eval.
mysql_real_escape_string is a function that ensures that your string is correctly escaped for entering into the database. What goes into the database is exactly what you started with.
Anything that removes or changes the string will not be an alternative to mysql_real_escape_string. In other words, it will change the string, not escape it.
If you want to change the string you are storing, you can run it through strip_tags, or preg_replace.
But (if it's appropriate to your situation), consider instead running the string through htmlspeciachars after retrieving from the db, before displaying it.
mysql_real_escape_string is used to avoid SQL injection attacks - where by people try to execute SQL commands against your database. You still need to use this - (or move to PDO prepared statements etc).
mysql_real_escape_string is not meant as a way to sanitize user input (e.g html, javascript) which would make your site open to XSS attacks. For that I would recommend Html Purifier.
You can use strip_tags() - it will delete all html tags, including javascripts.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to parse JSON in Android
I am writing an Android app where I'm getting a .js (JavaScript) file from a url and I want to read its contents. Is there any way to convert this file to a JSONArray or JSONObject? Or a direct way to parse the .js file itself?
If you mean can you create a data structure out of raw JavaScript, then no.
You can't convert a string of arbitrary JavaScript to JSON except in the degenerate sense that the entire string is a valid JSON item of type 'string'. This is because the syntax of JS covers a much larger domain than JSON. For example, what kind of JSON structure would you expect to represent the following JS?
while (true) { }
If your intent is to traverse the JS and pull data structures out of it, you're probably going to need something like a full JavaScript parsing engine.
If on the other hand you've phrased the question badly and the '.js' file you're fetching is really a JSON file, then the question is answered in the marked duplicate.
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
Why split the <script> tag when writing it with document.write()?
I have frequently seen the following statement:
document.write("<scr");
document.write("ipt language=\"Javascript\" type=\"text/javascript\" src=\"source url\"></scr");
document.write("ipt>");
What is the advantage of this? Why don't people write the whole script, as below?
document.write("<script ");
This might help you:
http://www.webmasterworld.com/forum91/2913.htm
Depending on the browser, the amount of other preceding javascript,
and how well-formed the overall code
is, this is done to prevent the parser
from interpreting the and
tags as executeable code
rather than as a string to be written.
I have found that it just saves headaches down the road if you do this
when using script to write script
tags.
This is probably done to comply with the standards – but they did it wrong in this case.
From the description of CDATA data type:
Although the STYLE and SCRIPT elements use CDATA for their data model, for these elements, CDATA must be handled differently by user agents. Markup and entities must be treated as raw text and passed to the application as is. The first occurrence of the character sequence "</" (end-tag open delimiter) is treated as terminating the end of the element's content. In valid documents, this would be the end tag for the element.
So they rather should have split the end-tag open delimiter </ like this:
document.write("<script language=\"Javascript\" type=\"text/javascript\" src=\"source url\"><" + "/script>");
It depends. When you see such code, it means they are generating certain parts of the page dynamically otherwise yes they could have easily written in <script> tags just below that.
And sometimes, such code is used for malicious purposes.
Isn't this how some people attempt to get past antivirus's script scanners?
To answer your question:
There's no gain from doing this. In fact, it's actually slower, since you're invoking more functions, creating more string objects, and appending more strings.
For older browsers, I guess it might be similar to usage of <!-- <script> blargh </script> //-->
I beleive it's some kind of primitive code obfuscation to sneak in script into dynamic pages. If a website filters user input for the string "<script" for example, this piece of code here would still go through.
Most likely this is some attempt to inject malicious code somewehere.