tags:

views:

88

answers:

3
+1  Q: 

jQuery, comments posted with quotes aren't working, otherwise it works great.

If I post a comment like "hello there dog" it works great, but if there are any special characters like ' or " the comment is posted successfully to the database but the jQuery code is not displaying the comment in the list.

Thanks for any tips.

function feedbacksubmit () {
// Show the Ajax Loader
$("#ajaxloader").css("display","inline");
var textsubmitted = $("#feedbackinput").val();

if (textsubmitted.length < 5) {
    alert("Don't forget to write something!");
    // Hide the Ajax Loader
    $("#ajaxloader").css("display","none");
}
else {
    $.post("/feedback/ajax/insert/", {feedback: textsubmitted}, 
        function(data) {
            // Place the comment in the top of the list
            $('<li></li>').prependTo("#comment-list").hide().prepend(data.commenttext2insert).fadeIn('slow');
            // Hide the Ajax Loader
            $("#ajaxloader").css("display","none");
            // Clear out the textarea
            $("#feedbackinput").val('');
    }, "json");
}
}

Here is an example response that is not working with the jQuery code above:

{"returnmessage":"The Ajax operation was successful.","returncode":"0","commenttext2insert":"\n\t<div class=\"comment-header\">\n\t\t<span class=\"comment-avatar\">\n\t\t\t<a href=\"\">\n\t\t\t\t\n\t\t\t\t\t<img src=\"/_images/users/photos//17941/nobosh.jpg\" />\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t</a>\n\t\t</span>\n\t\t<span class=\"comment-author\">\n\t\t\t<a href=\"\">\n\t\t\t\t<b>BOB Man</b>\n\t\t\t</a>\n\t\t</span>\n\t\t<span class=\"comment-timestamp\">just now</span>\n\t</div>\n\t<div class=\"comment-body\">\n\t\t<p>12wsa\'</p>\n\t</div>\n"}
+1  A: 

Try something like: 

$.post("/feedback/ajax/insert/", {feedback: escape(textsubmitted)},
...
giorgian  2010-02-21 00:26:05
Question says: *the comment is posted successfully to the database* So I don't think that this is the problem ;)
BalusC  2010-02-21 00:28:40
Correct the comment is posted to the database succesfully. I tried this but it sends the comment back as 12weqdsa%27asdadasd%27
AnApprentice  2010-02-21 00:31:32
A: 

If you're preparing HTML in the server side, you need to make sure that all reserved HTML characters in user-controlled input are properly escaped, else it may cause the JS code to become syntactically invalid (and make your website prone for XSS). You need escape at least the reserved HTML characters <, >, &, " and ' into HTML entities &lt;, &gt;, &amp;, &quot; and &apos; respectively.

You mentioned that you're using Coldfusion, which is Java based. As the standard Java SE/EE API doesn't provide builtin facilities to escape them, you'll need to either write one yourself, e.g.

public static final String escapeHTML(String string){
    StringBuilder builder = new StringBuilder();
    for (char c : string.toCharArray()) {
        switch (c) {
            case '<': builder.append("&lt;"); break;
            case '>': builder.append("&gt;"); break;
            case '&': builder.append("&amp;"); break;
            case '"': builder.append("&quot;"); break;
            case '\'': builder.append("&apos;"); break;
            default: builder.append(c); break;
        }
    }
    return builder.toString();
}

..which can be used as

input = escapeHTML(input);

..or to grab for example Apache Commons Lang StringEscapeUtils#escapeHtml4 which can be used as

input = StringEscapeUtils.escapeHtml4(input);

Once again, only do this for user-controlled input. You don't need to do this for any HTML code which you hardcoded in the server side code (else it would get displayed plain as-is). Thus do something like:

StringBuilder comment = new StringBuilder();
comment.append("<div class=\"comment\">");
comment.append(escapeHTML(input));
comment.append("</div>");

That said, I already commented in your question with the hint that you'd better to do this in jQuery, because that's after all much better for maintainability and reusability. You don't want to have raw HTML somewhere hidden in depths of Java code. You also don't want to make the JSON result dependent of the purpose. Just return a generic (and HTML-sanitized) JSON result and let jQuery build the HTML.

BalusC  2010-02-21 03:14:42
A: 

What does your ColdFusion look like (at least the part where you return something to the browser)? If BalusC is right about needing to escape html characters in your return data, you can just wrap your text with the HTMLEditFormat function rather than needing to write anything in Java.

Soldarnal  2010-02-21 05:48:21

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java