Client-Side Scripting Languages Support in AntiXSS
Anil Chintala here...
Recently I was asked about a question on client-side scripting language support in AntiXSS library.
Q: Does AntiXSS library support client-side Java Script language?
Yes, AntiXSS does provide support for client side scripting languages like Java Script and Visual Basic scripting languages. AntiXSS library provides methods like JavaScriptEncode(...) and VisualBasicScriptEncode(...) for use in Java Script and VB Script contexts.
Let's look at these with some examples now. I would like to take a simplistic approach and create a HTML page with a input box which takes a user name and echo's back to the browser via a message box.
Example #1 - Visual Basic Script Context
<HTML>
<HEAD><TITLE>A Simple VisualBasic Script Example Page</TITLE>
<SCRIPT LANGUAGE="VBScript">
<!--
Sub Submit_OnClick
MsgBox(<%=AntiXss.VisualBasicScriptEncode(Request.Form["TextName"]) %>)
End Sub
-->
</SCRIPT>
</HEAD>
<BODY>
<H3>A Simple First Page</H3><HR>
<FORM ID="Form1">
Enter Your Name:<input name="TextName" TYPE="TEXT" SIZE="20">
<INPUT NAME="Submit" TYPE="BUTTON" VALUE="Click Here">
</FORM>
</BODY>
</HTML>
Example #2 - Java Script Context
<HTML>
<HEAD><TITLE>A Simple Java Script Example Page</TITLE>
<script Language="javascript">
function showMessage() {
var varName = <%=AntiXss.JavaScriptEncode(Request.Form["TextName"]) %>;
alert(varName);
}
</script>
</HEAD>
<BODY>
<H3>A Simple First Page</H3><HR>
<FORM ID="Form1">
Enter Your Name:<input name="TextName" TYPE="TEXT" SIZE="20">
<INPUT NAME="Submit" TYPE="BUTTON" onclick="javascript:showMessage()" VALUE="Click Here">
</FORM>
</BODY>
</HTML>
So we looked at the client-side scripting language support available in AntiXSS library in the above examples. Please feel free to get in touch with me if you have any further questions on this.
Thanks... Anil