• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Al Hobbs
  • salvin francis

How to Break Javascript Escape Function

 
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a theory that some null values are getting into our database because part of the Javascript validation is using the method below:



...however I can't very well prove it, because I can't seem to make escape have an exception and return null. What kind of characters or character sequences can cause the escape function to throw an exception?

Thanks,
Jim
 
author
Posts: 15385
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Shouldn't your serverside validation catch that before it goes into the database?

Also you probably would be better off using encodeURIComponent and not escape.

Eric
 
James Ellis
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Shouldn't your serverside validation catch that before it goes into the database?

Also you probably would be better off using encodeURIComponent and not escape.



Yes this is true - but in order to persuade management that the JavaScript is the culprit, I need to be able to prove that the function "GV" described above can actually have an exception that returns the value as "null" which is then inserted into the database.

At the moment they think it could either be the Javascript or some weird Java/Database code interaction.

I am of the opinion there's no way the latter is the case - but a good working example of the Javascript escape function throwing an exception speaks a thousand words.

Jim
 
Eric Pascarello
author
Posts: 15385
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Only way that code will throw an error from my knowledge is if you do not have any elements with the name that is provided.

If you still think it is escape. Build yourself a loop that goes through every single character known to man and see what happens.

If it is some public script, it could easily be a bot filling out your forms with JS disabled.

You should never trust JavaScript Validation/Manipulation for forms. I would blame the server and not the client. And if you have an issue with that null, why is it returning null and not some other value?

Eric
 
Sheriff
Posts: 67596
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If null is not a reasonable value to return at that point, why is that code there in the first place? Eating exceptions, whether it be in Java code or JavaScript, is rarely the correct thing to do.

Why not just let the exception propagate so you'll know when the problem occurs rather than polluting the database and wondering why later?

And, how is the null getting to the database after the server-side checks?

Does management need to be convinced to replace code that's just plain poor?

[Edit: bonk! it's amazing how alike Eric and I think...]
 
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic