How to Break Javascript Escape Function

I have a theory that some null values are getting into our database because part of the Javascript validation is using the method below:

function GV(n) { try{ return escape(document.getElementsByName(n)[0].value); }catch(e){return null;} }

...however I can't very well prove it, because I can't seem to make escape have an exception and return null. What kind of characters or character sequences can cause the escape function to throw an exception?

Thanks,
Jim

Shouldn't your serverside validation catch that before it goes into the database?

Also you probably would be better off using encodeURIComponent and not escape.

Eric

Shouldn't your serverside validation catch that before it goes into the database?

Also you probably would be better off using encodeURIComponent and not escape.

Yes this is true - but in order to persuade management that the JavaScript is the culprit, I need to be able to prove that the function "GV" described above can actually have an exception that returns the value as "null" which is then inserted into the database.

At the moment they think it could either be the Javascript or some weird Java/Database code interaction.

I am of the opinion there's no way the latter is the case - but a good working example of the Javascript escape function throwing an exception speaks a thousand words.

Jim

Only way that code will throw an error from my knowledge is if you do not have any elements with the name that is provided.

If you still think it is escape. Build yourself a loop that goes through every single character known to man and see what happens.

If it is some public script, it could easily be a bot filling out your forms with JS disabled.

You should never trust JavaScript Validation/Manipulation for forms. I would blame the server and not the client. And if you have an issue with that null, why is it returning null and not some other value?

Eric

If null is not a reasonable value to return at that point, why is that code there in the first place? Eating exceptions, whether it be in Java code or JavaScript, is rarely the correct thing to do.

Why not just let the exception propagate so you'll know when the problem occurs rather than polluting the database and wondering why later?

And, how is the null getting to the database after the server-side checks?

Does management need to be convinced to replace code that's just plain poor?

[Edit: bonk! it's amazing how alike Eric and I think...]