For example i've a php script with this content:
<?php
$msg = addslashes("I'm a message. The what happened >:(");
echo "<script>alert($msg); return false;</script>";
?>
But the alert get broken by the last "(". How can i solve this?
views:
51answers:
5
+6
A:
You should enclose alert parameter with quotes:
echo "<script>alert('$msg'); return false;</script>";
What your code outputs to the browser was:
<script>alert(The what happened >:(); return false;</script>
which is not a valid javascript, after putting the quotes, it becomes:
<script>alert('The what happened >:('); return false;</script>
which is valid javascript.
aularon
2010-09-04 20:00:16
Many thanks, but now i'm getting "unterminated string literal" and i've the addslashes() in the php msg.
Sein Kraft
2010-09-04 20:11:47
can you update the question with your new code?
aularon
2010-09-04 20:13:04
done its updated now
Sein Kraft
2010-09-04 20:14:48
you need to add the quotes: `alert('$msg');`. What `addslashes` does is to escape (backslash) quote occurrences in its parameter, i.e. it will change `I'm a message. The what happened >:(` into `I\'m a message. The what happened >:(`, but it won't surround it with quotes.
aularon
2010-09-04 20:19:09
I've added the quotes in the alert(). but still it dont work, i get "unterminated string literal".
Sein Kraft
2010-09-04 20:22:16
can you update the question with what latest php code, and your html source output as well.
aularon
2010-09-04 20:26:13
I've updated the question 40 minutes ago...
Sein Kraft
2010-09-04 20:56:16
@Sein Kraft But you still have `alert($msg);` instead of `alert('$msg');` in your code above.
aularon
2010-09-04 21:05:11
If i update that in the main question the new users that arrive to the question itselft cant see why this thread was created since the real question will appear fixed in the example. So they can't figure the problem.Again i've setted alert('$msg'); and i'm getting "unterminated string literal".
Sein Kraft
2010-09-04 21:25:31
can you paste your html source output? you can add it to the question by adding `EDIT: after fixing first prolem here's what I got: ....`. if you can add both html and current php source that will help a lot.
aularon
2010-09-04 21:27:42
$msg = addslashes("I'm a message. The what happened >:(");echo "<script>alert('$msg'); return false;</script>";
Sein Kraft
2010-09-04 22:40:44
@Sein KraftI just trued that, the problem now is not an `unterminated string literal` with the `alert`, but `return not in function`, take that return off the `<script>` tag and it will work.
aularon
2010-09-04 23:42:18
+2
A:
You need to put it in a JavaScript string, otherwise it gets interpreted like this, which is meaningless and causes an error:
<script>alert(The what happened >:(); return false;</script>
Notice the single quotes in the alert() call which denote a JavaScript string (double quotes work too):
<?php
$msg = "The what happened >:(";
echo "<script>alert('$msg'); return false;</script>";
?>
It is also a good idea to escape the content inside to mitigate XSS, using htmlspecialchars().
BoltClock
2010-09-04 20:00:39
Double quotes work, too, but remember to escape them, as the string is delimited by double quotes. +1 for XSS warning, though there's no need to worry when the OP uses static strings.
Marcel Korpel
2010-09-04 20:06:22
Although `htmlspecialchars()` is the wrong kind of escaping for inclusion in a JS string literal in `<script>` block, which has CDATA content in HTML (the story with XHTML is a bit more complicated). If it were a JS string literal inside an HTML attribute, one would need JS-string encoding followed by `htmlspecialchars()` *as well* (or, more easily, avoided using `JSON_HEX_TAG|AMP|QUOT` in PHP 5.3).
bobince
2010-09-04 20:34:59
A:
Depending on the context, you might also just do:
<?php
$msg = "The what happened >:(";
?>
<script>alert("<?php echo $msg ?>"); return false;</script>
If there is no need to echo HTML or JavaScript code, then don't do it. It is easier to maintain .
Felix Kling
2010-09-04 20:02:22
A:
alert() accepts a string argument; you must enclose the text you're passing to it in quotes (either single or double) and insure that any matching quotes within the string are escaped by backslashes.
In your case single quotes would suffice:
echo "<script>alert('$msg'); return false;</script>";
meagar
2010-09-04 20:02:24
+2
A:
The other answers are along the right lines, but it is not sufficient to just put quotes around the string, if it can be any arbitrary string. If the string itself contains a quote, backslash, or newline, that will break the JavaScript string literal. If the string contains </script (or just </ in some cases) that will break the <script> block. In either case, if user-supplied input is involved, that gives you a big old cross-site-scripting security hole.
Whilst you may not need it for this specific value of $msg, it's a good idea to get used to JS-string-literal-escaping any text you output into a JS string. Whilst you can do this manually by adding backslashes, it's generally much easier to just use the built-in JSON encoder, which will work for other types like arrays and objects as well as strings.
<script type="text/javascript">
alert(<?php echo json_encode($msg); ?>);
return false; // huh? return, in a <script> block??
</script>
bobince
2010-09-04 20:15:55