C# String.Format - Invalid input string

Asked 17/8, 2011 at 17:50 Answered 17/6, 2015 at 3:58

I have a MVC3 HtmlHelper extension like this:

public static MvcHtmlString ShowInfoBar(this HtmlHelper helper, string message, InfoMessageType messageType)
    {
        return MvcHtmlString.Create(String.Format(@"<script type=""text/javascript"">$(document).ready(function () { gtg.core.showInfoBar('{0}', '{1}'}; );</script>", message, messageType.ToString().ToLower()));
    }

The value of message is "The product "Product Name" was saved successfully."

The value of messageType is info.

It keeps saying Input string was not in the correct format.

I am stuck??

Felloe answered 17/8, 2011 at 17:50 Comment(1)

Is there an error if you just enter the string without using the String.Format() method on it? – Breeze 17/8, 2011 at 17:55

On every brace that isn't a token you must double - so

function() {{

Etc

Also - consider XSS here - is message escaped correctly for inserting into JavaScript?

Terranceterrane answered 17/8, 2011 at 17:54 Comment(10)

Could you point me somewhere to learn about this a little more? Thanks! – Felloe 17/8, 2011 at 18:0

Which, XSS? Anywhere. Wikipedia would be a start. All you'd need is a ' message " with ' quotes " in to test it (although full escaping is more than just quotes) – Terranceterrane 17/8, 2011 at 18:2

Excellent mention of whether the method parameter is escaped for JavaScript correctly. – Brachylogy 17/8, 2011 at 18:5

So this is what it outputs:

<script type="text/javascript">$(document).ready(function () { gtg.core.showInfoBar('The product "Rich Classic Chocolate" was saved successfully.', 'info'); });</script>

Is this escaped properly? – Felloe 17/8, 2011 at 18:14

@Felloe - I can't answer that without seeing what it does with a product name of O'Neills' "oatey" Hobnobs – Terranceterrane 17/8, 2011 at 18:26

@Marc - This is what it outputs:

<script type="text/javascript">$(document).ready(function () { gtg.core.showInfoBar('O'Neills' "oatey" Hobnobs', 'info'); });</script>

and the script does not do what it is supposed to do. In the console of Chrome I get Uncaught SyntaxError: Unexpected identifier – Felloe 17/8, 2011 at 18:33

@Felloe right; so currently it is broken. Now imagine that I carefully created a product name like '); stealYourCookiesAndPostThemSomewhere(); // - and I've hacked your login - hence XSS. The simplest option is to write the data to a hidden element somewhere and read it out. Another option is to use something like JavascriptSerializer to write JSON (which will then be escaped). A plain JSON escape would be welcome, too. – Terranceterrane 17/8, 2011 at 18:36

@Marc - So would you have to have access to the server to do that? I mean you would have to have access to input that from somewhere right? So in this case, while it is an XSS, this is a backend manager for a site, so I would assume it is not a very high probability, but if this were available to the public user it could be a serious issue? – Felloe 17/8, 2011 at 18:40

@Felloe it all depends on context of course - you could argue that simply not being able to correctly handle O'Neills' biscuits is enough of a bug. But also don't underestimate the amount of evil committed internally to an organisation (especially shortly after a bad pay review, etc) - it isn't just the unwashed public that are capable of doing harm. – Terranceterrane 17/8, 2011 at 18:45

@Marc - I totally feel you on that. Thanks for the help! – Felloe 17/8, 2011 at 19:42

Escape your squiggly brackets {{ }} in the format string

String.Format(@"<script type=""text/javascript"">$(document).ready(function () {{ gtg.core.showInfoBar('{0}', '{1}'); }});</script>", message, messageType.ToString().ToLower())

Swan answered 17/8, 2011 at 17:53 Comment(0)

You need to escape the curly braces:

{{ and }}

String.Format(@"<script type=""text/javascript"">$(document).ready(function () {{ gtg.core.showInfoBar('{0}', '{1}'}}; );</script>", 
              message, messageType.ToString().ToLower())

Inflammatory answered 17/8, 2011 at 17:53 Comment(0)

In my case I used the bracket for JsonP formatting. JsonP requires a '{' too. By escaping the { like this: '{{', my problem was solved.

Guitarfish answered 27/2, 2013 at 12:32 Comment(0)

I have tried as below, and its working.

string.Format(@"ExecuteOrDelayUntilScriptLoaded(function () {{ Your function.

Urbanus answered 17/6, 2015 at 3:58 Comment(0)

Recommended topics

Hot tags