tags:

views:

381

answers:

4
Q: 

Escaping characters in javascript strings

I thought that escaping quote characters in javascript was done by either using the other style of quote 

"xxx ' yyy"

or 

'xxx " yyy'

or using a backslash to quote them 

'xxx \' yyy\'

or 

"xxx \" yyy"

but that doesn't seem to work in the problem I am currently working on.

The code I want to put in my generated HTML is: 

<input type="text" value="MyValue" name="MyName" 
    onChange="MyFunction(this, 0, 99999, ['XXX', this.value, 'YYY']);">

The question is what escaping is needed for the string YYY?

I thought escaping single quote (') would be fine, but then I would also need to escape double quote (") as that is the outer wrapper for the onChange code.

Lets say the string I want for YYY is: 

SQ' DQ" LT< GT> AMP&

so I tried outputting 

<input type="text" value="MyValue" name="MyName" 
     onChange="MyFunction(this, 0, 99999,
         ['XXX', this.value, 'SQ\' DQ\" LT< GT> AMP&']);">

but FireFox saw the "<" as breaking the code

Eventually, to keep FireFox happy, I had to use 

SQ\' DQ\x22 LT\x3C GT\x3E AMP\x26

i.e. 

<input type="text" value="MyValue" name="MyName"
    onChange="MyFunction(this, 0, 99999,
        ['XXX', this.value, 'SQ\' DQ\x22 LT\x3C GT\x3E AMP\x26']);">

this is a heck of a lot more escaping than I had expected. Is it really necessary, or have I missed something more straightforward?

Thanks.

+3  A: 

You're escaping on the wrong level - before it even gets to parsing the javascript, it needs to parse the HTML it's embedded in.

Use the HTML entities &quot;, &lt; and &gt; and you'll be fine.

<input type="text" onChange="MyFunction(... ['&quot; &lt; &gt; &quot;']);">
Greg  2009-10-06 19:19:41
+1 - I wasn't thinking clearly about what he was doing, I was too focused on what he wrote, and your suggestion of the entities is better.
James Black  2009-10-06 19:20:44
A: 

Why not break it up: innerHTML = ' ' + "AMP&']);" + '">';

This leads me to think you have a problem with your design though, and you may want to rethink what you are doing.

For example, you should do this with DOM functions, then this problems becomes simpler, rather than trying to do all this in innerHTML.

James Black  2009-10-06 19:19:49
A: 

In xml/html attributes symbols < and > should be escaped: &lt; and &gt;

Anatoliy  2009-10-06 19:24:46
+1  A: 

The problem is that you need to the escape the code twice. First you need to escape the characters to put them in the Javascript string literal, then you have to HTML encode the entire Javascript code to put it in the onclick attribute in the HTML tag.

First, to encode the string in the Javascript, it would look like this:

MyFunction(this, 0, 99999, ['XXX', this.value, 'SQ\' DQ" LT< GT> AMP&']);

Then you HTML encode the entire script. In this case there are only characters that need encoding inside the string:

<input type="text" value="MyValue" name="MyName"
   onChange="MyFunction(this, 0, 99999,
   ['XXX', this.value, 'SQ\' DQ&quot; LT&lt; GT&gt; AMP&amp;']);">
Guffa  2009-10-06 19:27:19

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript