Ayende @ Rahien

Matt Shannon commented on Resolving cross site scripting issues.

Tue, 21 Sep 2010 06:26:02 GMT

To further elaborate on Steve Gentile's comment, it is better to build a string up and update the DOM a single time rather than updating it per row. See [http://jqfundamentals.com/book/book.html](http://jqfundamentals.com/book/book.html) and [blog.rebeccamurphey.com/in-search-of-javascript...](http://blog.rebeccamurphey.com/in-search-of-javascript-developers-a-gist)

Michael Fever commented on Resolving cross site scripting issues.

Tue, 21 Sep 2010 02:06:31 GMT

Not all browsers show it the same way, but they will direct you to the line # of the problem. Chrome has the best devtools .. worth checking out.

Miranda commented on Resolving cross site scripting issues.

Sun, 19 Sep 2010 20:16:40 GMT

Or... you could just encode everything? I'm not sure what this is all about.

Jonas commented on Resolving cross site scripting issues.

Sun, 19 Sep 2010 19:58:26 GMT

Fixing just one instance of a problem is a sin You definitely have more problems like that and one alone is enough to hijack another user's credentials.

Steve Gentile commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 20:55:49 GMT

As above that JsonDiv is getting wrapped twice It was recommended to me to use $jsonDiv as a variable name to make it clear that it was already a wrapped jQuery object

Luke commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 19:25:22 GMT

Oops...my bad Oren.

Felipe Fujiy commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 18:54:15 GMT

I didn´t understand why that string is show in UI and executing too.

Ayende Rahien commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 12:47:40 GMT

Marcus, That is the same behavior in all browsers.

Marcus commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 12:24:22 GMT

@Andrew: thanks thats explains it He seems to be using Chrome though, according to the first image, maybe Chrome has that functionality too.

Andrew commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 12:21:06 GMT

@Marcus: At least in Firebug when the javascript 'debugger;' statement is encountered; this simulates a breakpoint.

tobi commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 12:14:46 GMT

Nice technique. Are 100% percent sure that the "key" is already encoded as well? At the very least it can contain umlauts which have to be html encoded (or you might find yourself debugging a much harder problem a year in the future).

Marcus commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 11:56:47 GMT

@Mike: no thats not what I mean, I mean the other yellow-marked word 'debugger', how does that bring him to the line of javascript code?

Ken Egozi commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 11:49:31 GMT

you should look into some kind of string templating instead of the concatenations EJS is a great pick. it gives you a syntax similar to php/asp/ERB that is extremely familiar. so you'd be creating the markup in using a view, then transferring the markup built to jQuery to be inserted to the DOM

Mike Scott commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 11:49:13 GMT

Oren, sweet use of the debugger breakpoint! I also wanted to suggest chaining the calls to append() in your jquery to prevent doing the $(childDiv) lookup multiple times, for example.

Mike Scott commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 11:44:24 GMT

Marcus Do you mean the tooltip that displays the value of the children variable? Because the value isn't HTML encoded, any javascript will be inserted straight into that

Marcus commented on Resolving cross site scripting issues.

Sat, 18 Sep 2010 10:49:14 GMT

Excuse my incompetence but can you elaborate the connection between the yellowish debbuger variable and the javascript line of code?