tags:

views:

309

answers:

4
Q: 

How do I escape content that might include a quotation mark?

I'm wanting to capture my search terms and pass them to a JavaScript variable, but I don't know how to handle quotes that might come through.

Here's what I have currently:

var searchTerms = "<!--#echo var="terms"-->";
var pattern = / /g;
newSearchTerms = searchTerms.replace(/[^a-zA-Z 0-9]+/g,'');
var searchStr=newSearchTerms.replace(pattern,"_");

I'm concerned that should "terms" contain double quotes (or an apostrophy if I use single quotes in the JS) then my function will fail.

How do I escape the string before it gets into script?

Thanks,
Steve

Edit/answer: I ended up doing this by moving this to an external script that captured and parsed the querystring rather than echoing it in the HTML.

+3  A: 

If terms contains quotation marks, by the time you have done var searchTerms = "<!--#echo var="terms"-->"; it is already too late to replace any quotation marks, your JavaScript will be invalid. For example, if terms contains These are the "terms" your JavaScript would appear as follows (and produce a syntax error in the browser):

var searchTerms = "These are the "terms"";

If you are sure terms only contains double-quotes, you could do:

var searchTerms = '<!--#echo var="terms"-->';

If it could contain both single-quotes and double-quotes, you need to sanitize the output on the server using a server-side technology more sophisticated than <!--#echo var="..."-->.

Grant Wagner  2008-12-18 19:13:47
Alternatively, I think you can set a variable to '"' in JavaScript. Example: var DoubleQuotes = '"' var searchTerms = "<!--#echo var=" + DoubleQuotes + "terms" + DoubleQuotes + "-->";This is useful when Obfuscating.
Dalin Seivewright  2008-12-18 19:22:27
I don't think the server will process that statement as shown. I could be mistaken though.
Grant Wagner  2008-12-18 19:24:01
@Dalin - I can't imagine the server being able to deal with that, but I'm interested in the idea that you can set DoubleQuotes. Could I read that to mean that I could do: DoubleQuotes = '"'; var searchTerms = DoubleQuotes + <!--#echo var="terms"--> + DoubleQuotes;
Steve Perks  2008-12-18 19:38:46
DQ = '"'; var searchTerms = DQ + <!--#echo var="terms"--> + DQ; won't work. Given the same string above, you'd end up with var searchTerms = '"' + These are the "terms" + '"'; The result of the #echo isn't valid JavaScript, you'd still get a client-side syntax error.
Grant Wagner  2008-12-18 21:29:27
+1  A: 

i would add a javascript to the onchange event for the search textbox. capture the keystroke and ignore the quotes and any other special characters that might be entered. if the input is coming from the server side, then sanitize it before sending it to your script.

Victor  2008-12-18 19:19:26
+2  A: 

From your code it looks like you're using Apache SSI includes. The echo SSI has an attribute called encoding which wil let you specify url-style encoding. You can encode quotes this way and simply unencode in Javascript with unescape()

Try this:

var terms = "<!--#echo encoding="url" var="terms"-->";
terms = unescape(terms)
Triptych  2008-12-18 19:36:11
Sorry Triptych but that's not working on my set up of SSI, though I think I'm going to have to go down that path (unless I can get some more mileage out of Dalin's comment)
Steve Perks  2008-12-18 19:49:23
note that order is important; the "encoding" attribute MUST come before the "var" attribute.
Triptych  2008-12-18 19:58:08
yeah - I copied it verbatim. Our server's got minimal stuff turned on.
Steve Perks  2008-12-18 20:04:47
A: 

Both the idea of encoding the output and capturing and escaping the keystrokes are interesting solutions. Encoding the SSI output isn't working for me at the moment, though I'm setting that option in motion, but escaping the keystrokes makes me nervous as I'm not sure how well our search engine will deal with it.

Thanks for the two pointers towards a possible solution.

Steve Perks  2008-12-19 14:23:34

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript