Is it safe to use BASE64 encoded strings in javascript variables and HTML attribute values?

Question

I use UploadIfy to upload multiple files through ajax. Each time a file has been uploaded through an ajax request, and successfully saved on the server, I return the file name of that file to the client, BASE64 encoded.

I then add a DIV to the DOM where I use the BASE64 encoded file name as the value of a data attribute of that DIV, which I use as a unique reference to that DIV.

Secondly, I add an image to that DIV with an OnClick function to remove that file from the server through ajax, and I use that same BASE64 encoded filename as a parameter.

Example for an uploaded file 'test.pdf':

<div data-id="dGVzdC5wZGY="><img onclick="RemoveFile('dGVzdC5wZGY=')"/></div>

I access the the DIV using JQuery:

$("div[data-id='" + fn64 + "']")

where fn64 is the BASE64 encoded file name sent as a parameter.

Is there any way a user can create a filename which would break either my HTML or javascript? Or any other XSS risks? XSS is such a complicated matter that it's making me paranoid.

Answer 1

I cannot comment because I don not have 50 reputation points but.. Where is the base64 encoding taking place? is it on the server or the client? What does RemoveFile() look like?

I think if the input is encoded on server and then returned by the server you should be ok.

Also you could sanitize user input on the server to be extra safe.

I think more information is needed on how your code takes the file name and sends that to the server.