Encode HTML

For those writing JavaScript in LabKey wiki pages and views, the most common risk is script injection. This occurs when your code accepts text input from a user, perhaps saves it to the database, and then later displays that input in a web page without HTML-encoding it. In general, you should always HTML-encode all text entered by a user before displaying it the page, as this prohibits a malicious user from entering JavaScript that could be executed when dynamically added to the page as HTML. HTML-encoding will convert all characters that would normally be interpreted as HTML markup into encoded versions so that they will be interpreted and displayed as plain text and not HTML.

To HTML-encode text, use the following function in the Ext library, which is always available to you in a LabKey wiki page or view:

var myValue = ...value from input control...
var myValueEncoded = Ext.util.Format.htmlEncode(myValue);

/ / … save myValueEncoded to the database, or redisplay it as follows:
Ext.get("myDisplayElement").update(myValueEncoded);

For more details on the Ext.util.Format class, see the Ext API documentation at the following link:

http://www.extjs.com/deploy/dev/docs/?class=Ext.util.Format

For more information on web development and security risks, see the following site:

http://www.owasp.org/index.php/Main_Page

Discussion

previousnext
 
expand all collapse all