EncodeJavaScript() causes JavaScript to not run, but then get security warning

EncodeJavaScript() causes JavaScript to not run, but then get security warning

  

Hi,

When I add my own JavaScript to a page I get the warning:

"JavaScript Injection
Please ensure your expression is correctly encoded to avoid JavaScript injection security flaws."

I then enclose the JavaScript in EncodeJavaScript(), the warning goes away, but then my JavaScript does not execute. So what is the point of EncodeJavaScript?


For example I have a generic "Yes"/"No" Popup, I pass the popup the question it must ask as a parameter, then in the preparation I set the message container's contents to the received string via JavaScript as follows:


"ChangeContainerContent('" + ModalTitle.Id + "', '" + Title + "');"


It works 100% except I get the above warning. When I enclose the above in EncodeJavaScript like the following example, it does not run at all, the message is not replace with the passed parameter:

EncodeJavaScript("ChangeContainerContent('" + ModalTitle.Id + "', '" + Title + "');")

What is going on?

Thanks.

Solution

Hi Elize,


Check the help topic for that built in function. It is intended to encode "JavaScript literals", not complete JavaScript snippets of code.

So in your example it should be:

"ChangeContainerContent('" + ModalTitle.Id + "', '" + EncodeJavaScript(Title) + "');"


Also note that you don't need to encode the ModalTitle.Id part, because the widget ids are already known to be safe to use in JavaScript literals.


Regards,
João Rosado

Solution

Thank you João, that was most helpful!