{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 劫难 的问题《Sanitizing Input with JsonConvert.SerializeObject》','https://www.manongdao.com/q-655703.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Long story short, I'm trying to get the output from JsonConvert.SerializeObject to be sanitized without having to modify the contents of the saved data.
I'm working on an app that has the following markup in the view:
<textarea data-bind="value: aboutMe"></textarea>
If I save the following text, I run into problems:
<script type="text/javascript">alert("hey")</script>
The error I get in FF:
The relevant part of the offending rendered text:
$(document).ready(ko.applyBindings(new MyProfileVm({"profileUsername":"admin","username":"Admin","aboutMe":"alert(\"hey\")","title":"Here's a short self-bio! :)","thumbnail":"https://i.imgur.com/H1HYxU9.jpg","locationZip":"22182","locationName":"Vienna, VA"
And finally - at the bottom of my view:
<script type="text/javascript">
$(document).ready(ko.applyBindings(new MyProfileVm(@Html.Raw(JsonConvert.SerializeObject(Model, new JsonSerializerSettings() { ContractResolver = new CamelCasePropertyNamesContractResolver() })))));
</script>
Here, I'm passing the model that I get from the MVC controller into the js ViewModel for knockout to map into observable data. The Raw encoding seems to be the problem, but I'm not sure how to go about handling it.
To be clear, I'm getting data from the server, and outputting it to the client, which is mucking up the JSON/KO combo.
I've had a similar problem, it came from using knockout.js to get input from a
<textarea>just like you did. Everything was fine on the "create" part, but once I put the data back into an action via@Html.Raw(...), it turned out to contain linefeed and carriage-return characters that broke the json string. So I added something like this:(I know it doesn't handle "\\\", but that doesn't appear from knockout)
Then I build my anonymous classes and do this:
Maybe this can help you. I found it by breaking in the razor view and looking at the strings. This problem also appears with unesacped tabs (\t) and possibly other escape sequences.
The problems is that you cannot have a closing
</script>tag inside a JavaScript string literal because the browser interprets it as then end of the script block. See also: Script tag in JavaScript stringThere is no builtin function in Asp.Net what could handle it on the server side you before outputting your generated script you need to replace the
</script>to something else:Of course if you will need this in multiple place you can move this logic into a helper/extension method, like:
And use it with:
And on the JavaScript side in your Knockout viewmodel you need to replace back the
</script>tag before the usage:Of course you can also create a helper function for this, like:
And use it with:
Demo JSFiddle.