Passing rendered html to a javascript function

Question

Hi all,

I have some html code rendered on the server side. This is passed to a jsp which renders a javascript-call with this html:

<script type="text/javascript">
    window.parent.${param.popup_return}("${helpId}", "${content}");
</script>

content is like

"
This is a <p class="xyz">test</p>
"

My problem is that - according to the quotes in 'content' - the javascript-call is wrong as it is rendered to

<script type="text/javascript">
    window.parent.${param.popup_return}("ybc", "This is a <p class="xyz">test</p>");
</script>

Does anyone know how I can solve this (besides manually replacing all quotes)?

Answer 1

Use a JSON encoder to create the encoded strings.

But you'll also have to ensure that the output doesn't contain the sequence </ in string literals, which is invalid in a <script> block (</script is the version that will also break browsers).

Many JSON encoders either by default or optionally will encode to <\/ or \u003C/ to avoid this problem.

Answer 2

I use this:

<div id="result" style="display:none">
  ${content}
</div>
<script type="text/javascript">
  window.parent.${param.popup_return}("${helpId}", dojo.byId("result").innerHTML);
</script>

This seems to work perfectly

Answer 3

You aren't using JSTL here (you originally tagged the question with only JSTL). You are using EL in template text. It get printed plain as-is. You'd like to use JSTL core <c:out> to escape predefined XML entities (which also works for HTML in this particular case, quotes is among the escaped XML entities).

window.parent.${param.popup_return}("<c:out value="${helpId}" />", "<c:out value="${content}" />");

An alternative (if you hate that the JSP syntax highlighter or validator bugs/jerks about nested tags/quotes) is the JSTL function fn:escapeXml():

window.parent.${param.popup_return}("${fn:escapeXml(helpId)}", "${fn:escapeXml(content)}");

Answer 4

Have you tried using single quotes instead of double quotes? i.e. changing "${content}" to '${content}'