Protecting from JavaScript injection

Topics: Writing modules
Mar 4, 2011 at 3:51 PM

Hi,

I'm writing a module that writes values that come from the user into JavaScript in the view.

Should I be displaying these with:

@Ajax.JavaScriptStringEncode(Model.UserString)

Or does Orchard protect me from nasty unicode characters?

Coordinator
Mar 4, 2011 at 3:59 PM

You should definitely do that. That will ensure the string stays a string, even it contains quotes or other nasties. I think you need to provide the quotes though.

Mar 5, 2011 at 11:19 AM
Edited Mar 5, 2011 at 11:19 AM

Thanks. I'll make sure I do that for all string values to keep everything nice and secure.