0

I have a script that is rendered to an html page as a part of a tracking solution (etracker).

It is something like this:

<script>
var et_cart= 'nice shoes,10.0,100045;nice jacket,20.00,29887';
</script>

This will be transmitted to the server of the tracking solution by some javascript that I don't control. It will end up as 2 items. The items are separated by a semicolon in the source (after '100045').

I obviously need to Html-encode and Javascript-encode the values that will be rendered. I first Html-encode and after that remove single quotes.

This works, but I have an issue with special characters in french and german e.g. umlaut (ü, ä...). They render something like {. The output of the script when using lars ümlaut as the article is: 

<script>
var et_cart= 'lars &#123;mlaut,10.0,100045;nice jacket,20.00,29887';
</script>

The semicolon is evaluated as an item separator by the tracking solution.

The support of the tracking solution told me to url-encode the values. Can this work? I guess URL-encoding doesn't stop any xss-atacks. Is it ok to first url-encode and html-encode, then javascript-encode after it?

4

1 回答 1

0

这些值只需要进行 URL 编码即可传输到客户端。如果客户正在显示信息,则他们有责任确保他们保护自己免受 xss 攻击,而不是您的。

<script>
var et_cart= 'lars+%FCmlaut%2C10.0%2C100045%3Bnice+jacket%2C20.00%2C29887';
</script>
于 2010-07-28T09:33:18.170 回答