javascript - How to encode a value that is rendered to page and finally used in URL? -


I have a script which is provided as part of a tracking solution (etracker) on any HTML page.

This is something like this:

  & lt; Script & gt; Var et_cart = 'Good Shoes, 10.0 100000045; Good jacket, 20.00,29887 '; & Lt; / Script & gt;  

This will be transmitted to the server of the tracking solution by some javascript which I do not control. This item ends in 2 items, separated by a semicolon in the source (after '100045').

I need to explicitly have HTML-encoded and javascript-encoded which will be provided. I have to convert to the first HTML-encoded word and then delete a single quote.

It works, but I have French and German examples with special characters Umlaut (ü, AA ...). They render something like {. The script is produced when using Lars ümlaut as an article:

  & lt; Script & gt; Var et_cart = 'Lars & amp; # 123; Mlaut, 10.0100045; Good jacket, 20.00,29887 '; & Lt; / Script & gt;  

Semicolon tracking solution is evaluated as an item separator.

Supporting the Tracking Solution I asked to write the values ​​in URL-encoded words. Could this work? I suppose url-encoding does not stop any xss-atacks. Is it OK for the first URL-encoded and HTML-encoded, then javascript-encoded?

URL must be encoded to communicate prices only to the customer. If information is being displayed by the customer, then it is their responsibility to ensure that they are protecting themselves against XSS attacks, not yours.

  & lt; Script & gt; Var et_cart = 'lars +% FCmlaut% 2C10.0% 2C100045% 3Bnice + jacket% 2C20.00% 2C29887'; & Lt; / Script & gt;  

Comments

Popular posts from this blog

c# - sqlDecimal to decimal clr stored procedure Unable to cast object of type 'System.Data.SqlTypes.SqlDecimal' to type 'System.IConvertible' -

Calling GetGUIThreadInfo from Outlook VBA -

Obfuscating Python code? -