GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  JAVASCRIPT::VALUE::ESCAPE (3)

.ds Aq ’

NAME

JavaScript::Value::Escape - Avoid XSS with JavaScript value interpolation

CONTENTS

SYNOPSIS



  use JavaScript::Value::Escape;

  my $escaped = javascript_value_escape(q!&foo"bar</script>!);
  # $escaped is "\u0026foo\u0022bar\u0027\u003c\/script\u003e"

  my $html_escaped = javascript_value_escape(Text::Xslate::Util::escape_html(q!&foo"bar</script>!));

  print <<EOF;
  <script>
  var param = $escaped;
  alert(param);

  document.write($html_escaped);

  </script>
  EOF



DESCRIPTION

There are a lot of XSS, a security hole typically found in web applications, caused by incorrect (or lack of) JavaScript escaping. This module aims to provide secure JavaScript escaping to avoid XSS with JavaScript values.

The escaping routine JavaScript::Value::Escape provides escapes for q!!, q!’!, q!&!, q!=!, q!-!, q!+!, q!;!, q!<!, q!>!, q!/!, q!\! and control characters to JavaScript unicode entities like \u0026".

EXPORT FUNCTION

javascript_value_escape($value :Str) :Str Escape a string. The argument of this function must be a text string (a.k.a. UTF-8 flagged string, Perl’s internal form).

This is exported by default.

js($value :Str) :Str Alias to javascript_value_escape() for convenience.

This is exported by your request.

AUTHOR

Masahiro Nagano <kazeburo {at} gmail.com>

THANKS TO

Fuji, Goro (gfx)

SEE ALSO

<http://subtech.g.hatena.ne.jp/mala/20100222/1266843093> - About XSS caused by buggy JavaScript escaping for HTML script sections (Japanese)

<http://blog.nomadscafe.jp/2010/11/htmlscript.html> - Wrote a module (JavaScript::Value::Escape) to escape data for HTML script sections (Japanese)

<https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet> - Preventing XSS (Cross Site Scripting) (English)

RFC4627 - The application/json Media Type for JSON

LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
Search for    or go to Top of page |  Section 3 |  Main Index


perl v5.20.3 JAVASCRIPT::VALUE::ESCAPE (3) 2016-03-17

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.