views:

1344

answers:

5

This is so stupid, but I can NOT figure this one out. I'm outputting values from a database (it isn't really open to public entry, but it is open to entry by a user at the company -- meaning, I'm not worried about XSS.)

I'm trying to output a tag like this:

<a href="" onclick="DoEdit('DESCRIPTION');">Click Me</a>

DESCRIPTION is actually a value from the DB that is something like this:

Prelim Assess "Mini" Report

I've tried replacing " with \", but no matter what I try, Firefox keeps chopping off my javascript call after the space after the word Assess, and it is causing all sorts of issues.

I must bemissing the obvious answer, but for the life of me I can't figure it out.

Anyone care to point out my idiocy?

Here is the entire html page (it will be a .Net page eventually, but in order to solve this I took out everything else but the problem code)

<html>
    <body>
        <a href="#" onclick="DoEdit('Preliminary Assessment \"Mini\"'); return false;">edit</a>
    </body>
</html>
+3  A: 

you need to escape the string you are writing out into DoEdit to scrub out the double-quote characters, they are causing the onclick HTML attribute to close prematurely.

Using the Javascript escape character, \, isn't sufficient in the HTML context, you need to replace the double-quote with the proper XML entity representation, &quot;

Aaron
Right, but wouldn't that be this?<a href="#" onclick="DoEdit('Preliminary Assessment \"Mini\"'); return false;">edit</a>I tried that, and it is still screwing up. This has got to be a simple WTF but for the life of me, I can't see it.
Matt Dawdy
And evidently I can't read. Thanks for the answer.
Matt Dawdy
Is there any built-in JavaScript function that would escape the double quotes ?Apart from 'quo"'.replace('"', '"') I can't find anything.
kevin
It's not a javascript issue, it's an HTML/XML encoding issue: you can't have double-quote characters inside an attributes value w/o escaping them... otherwise browsers/parsers think you're ending the attribute value declaration.
Aaron
A: 

I have done a sample one using jQuery

var descr = 'test"inside"outside';
$(function(){
   $("#div1").append('<a href="#" onclick="DoEdit(descr);">Click Me</a>');       
});

function DoEdit(desc)
{
    alert ( desc );
}

and this works in IE and FF.

rahul
Of course it does, because you aren't putting it directly in the attribute. To use your method, I'd have to create an array of JS strings, then do an arbitrary number of $("#divxxx")... assignments. Less than optimal, but thanks for the suggestion.
Matt Dawdy
+2  A: 

The problem is that html doesn't recognize the escape character. You could work around that by using the single quotes for the html attribute and the double quotes for the onclick.

<a href="#" onclick='DoEdit("Preliminary Assessment \"Mini\""); return false;'>edit</a>
dl
Yikes. I was wondering why I naturally resorted to using ' for the attribute in the past. I just never delved into it all that deeply. Thanks.
Matt Dawdy
+1  A: 
<html>
    <body>
        <a href="#" onclick="DoEdit('Preliminary Assessment &quot;Mini&quot;'); return false;">edit</a>
    </body>
</html>

Should do the trick.

kristian
Sheesh. Thanks for that! Works perfectly.
Matt Dawdy
A: 

What about escaping whitespace as well. It sounds to me like firefox is assuming three arguments instead of one. &nbsp; is the non-breaking space character. Even if it's not the whole problem, it may still be a good idea.

the Hampster