Added support for the Simple Registration extension to be seen in javascript for the ajax login control.

1 files changed, 35 insertions, 0 deletions

diff --git a/src/DotNetOpenId/Util.cs b/src/DotNetOpenId/Util.cs
index 64a1be9..6b0efaf 100644
--- a/src/DotNetOpenId/Util.cs
+++ b/src/DotNetOpenId/Util.cs
@@ -249,6 +249,41 @@ namespace DotNetOpenId {
 			return true;

 		}

 

+		// The characters to escape here are inspired by 

+		// http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript

+		static readonly Dictionary<string, string> javascriptEscaping = new Dictionary<string,string> {

+			{"\t", @"\t" },

+			{"\n", @"\n" },

+			{"\r", @"\r" },

+			{"\u0085", @"\u0085" },

+			{"\u2028", @"\u2028" },

+			{"\u2029", @"\u2029" },

+			{"'", @"\x27" },

+			{"\"", @"\x22" },

+			{"\\", @"\\" }, // perhaps move this to the top so that newline characters still end up as newline characters and not "\n" sequences

+			{"&", @"\x26" },

+			{"<", @"\x3c" },

+			{">", @"\x3e" },

+			{"=", @"\x3d" },

+		};

+

+		/// <summary>

+		/// Prepares what SHOULD be simply a string value for safe injection into Javascript

+		/// by using appropriate character escaping.

+		/// </summary>

+		/// <param name="value">The untrusted string value to be escaped to protected against XSS attacks.</param>

+		/// <returns>The escaped string.</returns>

+		public static string MakeSafeJavascriptValue(string value) {

+			if (value == null) return "null";

+			// We use a StringBuilder because we have potentially many replacements to do,

+			// and we don't want to create a new string for every intermediate replacement step.

+			StringBuilder builder = new StringBuilder(value);

+			foreach (var pair in javascriptEscaping) {

+				builder.Replace(pair.Key, pair.Value);

+			}

+			return builder.ToString();

+		}

+

 		internal delegate R Func<T, R>(T t);

 		/// <summary>

 		/// Scans a list for matches with some element of the OpenID protocol,