0

I have created a website based on

SQL Server 2014
C# (ASP.NET)
Javascript and jQuery

The user can store information within a textbox on my site. To prevent injection, I can use encode / decode from special character. The user should be able to submit code like below but the code should not executed. So far so good.

<script type="text/javascript">
    $(document).ready(function () {
        console.log('uuuuups.....');
    });
</script>

This code will be stored as is to database. (without encoding first). Now I would like to offer a ckeditor to my users and give the ability to use the code-plugin. The code-plugin itself creates the following code:

<pre class="brush:jscript;">
&lt;script type=&quot;text/javascript&quot;&gt;
    $(document).ready(function () {
        console.log(&#39;uuuuups....&#39;);
    });
&lt;/script&gt;</pre>

I have tried to replace charcter within SQL like

replace(replace(@text, '<', '&lt;'), '>', '&gt;')

But this seems to break the code when I try to view. My problem now is, how to handle this? Do I have encode twice? Every hint will be appreciated.

Improve this question
2

1 Answer 1

Reset to default
0

i am using ckeditor in my web site, and i face the same issue, it is about javascript injection. how to prevent it without disrupting the view. Try in your server side to parse the "< script ...>javascript code ...</script>" and clear it. I think it is not difficult to find this tag in asp.net nor in php.

Good luck

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Kindly provide code snippet/detailed answer for it to help!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.