problems with htmlspecialchars

Question

I am generating links from the following php code. The links appear in the browser, and the generated html code seems fine, however the links are not click-able. I have tested this in IE and FF, and tried to see with FireBug to no avail.

The code to generate my form

$uploadhtml = htmlspecialchars(json_encode("<form action='up.php' method='post'
enctype='multipart/form-data'>
<label for='file'>Filename:</label>
<input type='file' name='file' id='file'/> 
<br />
<input type='hidden' name='pk' value='".$pk."'>
<input type='hidden' name='username' value='".$USERNAME."'>
<input type='submit' name='submit' value='Submit' onclick=\"setTimeout(function() { 
updateByPk('Layer2', '".$pk."', '".$brand."', '".$pg."'); } ),1250);\" />
</form>"), ENT_QUOTES);

The resultant html code:

    <a onclick="makewindows(&#39;&quot;<form action=&#39;up.php&#39; method=&#39;
post&#39;\r\nenctype=&#39;multipart\/form-data&#39;>\r\n<label for=&#39;
`file&#39;>Filename:<\/label>\r\n<input type=&#39;file&#39; name=&#39;file&#39; id=&#39;`file&#39;\/> \r\n<br \/>\r\n<input type=&#39;hidden&#39; name=&#39;pk&#39; value=&#39;
380118179930&#39;>\r\n<input type=&#39;hidden&#39; name=&#39;username&#39; value=&#39;
janmaybach&#39;>\r\n<input type=&#39;submit&#39; name=&#39;submit&#39; value=&#39;
Submit&#39; onclick=\&quot;setTimeout(function() { updateByPk(&#39;Layer2&#39;, 
&#39;380118179930&#39;, &#39;Ed Hardy&#39;, &#39;1&#39;); } ),1250);\&quot; 
\/>\r\n<\/form>&quot;&#39;); return false;" href="#">Upload files</a>

I guess it's a JavaScript error, but I don't know how to pinpoint it?

edit: The html code without ENT_QUOTES:

<a href="#" onclick="makewindows('&quot;<form action='up.php' method='post'\r
\nenctype='multipart\/form-data'>\r\n<label for='file'>Filename:<\/label>\r\n<input 
type='file' name='file' id='file'\/> \r\n<br \/>\r\n<input type='hidden' name='pk' 
value='380118185183'>\r\n<input type='hidden' name='username' value='janmaybach'>\r
\n<input type='submit' name='submit' value='Submit' onclick=\&quot;setTimeout(function() 
{ updateByPk('Layer2', '380118185183', 'Ed Hardy', '1'); } ),1250);\&quot; 
\/>\r\n<\/form>&quot;'); return false;">Upload files</a>

It still is not clickable..., everything seems to be quoted correctly?

When I try without htmlspecial chars, the following html output is produced:

<input type='submit' name='submit' value='Submit' onclick=" settimeout(function()="" {="" updatebypk(="" layer2="" 380118179930="" ed="" hardy="" ,="" 1="" );="" }="" ),1250);="">
'); return false;"&gt;Upload files</a>

Answer 1

The parameter in your makewindows function ist not quoted. Your quotes are escaped (%#39). Replace it with ' and you're done.

Answer 2

As said in the comment to the question, this is absolutely horrendous code, and you're suffering the consequences. The main problem is the number of code levels: server code that renders Javascript, that renders HTML - and difference escapes at every level and interfere with each other.

To improve the situation, have a separate PHP page with the form and have your popup link open that page - no Javascript required. If you really want to avoid having that separate page at all costs, at least have the Javascript function that generates the form in the header of the page (non-dynamic) and have the link contain only a call to that function with your variables as parameters.

Answer 3

Your ENT_QUOTES flag is screwing up the output. If you look closely you'll see that there are no actual quotes in the HTML output - just escaped entities. Make a test that doesn't use htmlspecialchars(). You should escape the quotes with a backslash OR better still add the javascript functionality unobtrusively. jQuery might help you to achieve that http://jquery.com