Is there a good reason why AntiXss.JavaScriptEncode wraps result in single quotes?
https://stackoverflow.com/questions/869089
-
22-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've been using Microsoft's AntiXss Library and was wondering if there is a good reason why its JavaScriptEncode method wraps the result in single quotes? That behavior seems unconventional.
Solution
Actually the new 3.0beta version has a flag JavaScriptEncode(string input, bool flagforQuote). Setting it to false, yields a result without quotes.
OTHER TIPS
Probably to make sure it is returning a string. The usage I've seen is to take input and return a value that you can assign to a variable in javascript.
var message=<%=AntiXss.JavaScriptEncode(message)%>;
Now, no matter what was in message, the js variable message will have the exact input escaped appropriately so if some jerk tried to inject javascript into that message they'd just see the result of their message being assigned to the message variable.
