I'm having trouble escaping a quotation mark in PHP.
I have a table of products and each row has an onclick function, with the name of the product as the argument.
The name contains the length which is measured in inches, so the name contains a quotation mark. I wrapped an addslashes() around the string. This adds a backslash before the quotation mark but for some reason it doesn't seem to escape the character!
Here's a snippet of my code:
<?$desc1 = addslashes($row['Desc1']);?>
<tr class='tableRow' onclick='afterProductSelection("<?=$desc1?>")'>
<td><?=$row['Desc1']?></td>
When I inspect element in Google Chrome, the colour of the syntax indicates that this has not been escaped, clicking on it gives me a syntax error.
Probably something simple that I'm missing. Hope you can help!
There are a lot of different cases where you need to escape a string. addslashes() is the wrong answer to pretty much all of them.
The addslashes() function is an obsolete hang-over from PHP's early days; it is not suitable for any escaping. Don't use it. Ever. For anything.
In your particular case, since you're creating Javascript data from PHP, use json_encode().
json_encode() will take a PHP variable (whether it's a string, array, object or whatever) and convert it into a JSON string. A JSON string is basically fully escaped Javascript variable, including the quotes around your strings, etc. This is what you need to do.
The addslashes() function is an obsolete hang-over from PHP's early days; it is not suitable for any escaping. Don't use it. Ever. For anything. -Spudley
I think the function you're looking for is htmlentities()
<?=htmlentities($desc1, ENT_QUOTES)?>
http://ca1.php.net/htmlentities
You are generating a JavaScript string encoded as HTML so you need to encode twice:
Use json_encode() to generate the string
Use htmlspecialchars() to encode as HTML
Use json_encode to output variables from the backend in JavaScript:
<tr onclick='afterProductSelection(<? print json_encode($desc1); ?>)'>
N.B.: For string output there is no need for extra quotes.
Related
In PHP, I use json_encode() to echo arrays in HTML5 data attributes.
As JSON requires - and json_encode() generates - values encapsulated by double quotes. I therefor wrap my data attributes with single quotes, like:
<article data-tags='["html5","jquery","php","test's"]'>
As you can see, the last tag (test's) contains a single quote, and using json_encode() with no options leads to parsing problems.
So I use json_encode() with the JSON_HEX_APOS parameter, and parsing is fine, as my single quotes are encoded, but I wonder: is there a downside doing it like this?
You need to HTML escape data echoed into HTML:
printf('<article data-tags="%s">',
htmlspecialchars(json_encode(array('html5', ...)), ENT_QUOTES, 'UTF-8'));
or use the build-in option:
json_encode(array('html5', ...), JSON_HEX_APOS)
you can check it up in the manual: http://php.net/manual/en/json.constants.php#constant.json-hex-apos
I am trying to pass a python dictionary from a chameleon template to a javascript function. But since the dictionary contains single quotes or ' which need to be escaped I get an error in firebug that says : SyntaxError: missing ) after argument list.
My code looks like this:
<div id = "divsfp">
<input type="button" id="sfp" value="SFP"
onclick="get_sfp('${dict_value}')"></input></div>
Where dict_value is a python dictionary. How can I escpae ' in chameleon template before passing the data or in Javascript function itself?
You need to JSON encode the dictionary. You don't then need to put quotes around the dictionary, and JavaScript will see it as a JavaScript object.
Use double-quotes, encoded as ":
onclick="get_sfp("${dict_value}")"
Chameleon will escape any double-quotes in dict_value.
You can try this, if this helps
"get_sfp('"+${dict_value}+"')"
Also from your implementation it seems that the dict_value is the variable you already know. So whats the problem accessing it from the get_sfp function.
Sorry couldn't comment as I still don't have that privilege.
I have a JavaScript hyperlink that is not passing variable to function, undoubtedly due to syntax. Can someone please spot error.
jsfiddle: http://jsfiddle.net/kSVVX/
js
function follow(id){
alert(id);
}
html
<a href='javascript:void(0);' onclick= 'follow('1');'><img src='images/test.gif' border=0 alt='follow'></a>
Note: The reason that I am using all apostrophes is that this link is actually getting echoed from php where a long string is enclosed in quote marks (as certain things in the string must be in apostrophes.) I have a feeling this is source of problem, but have not succeeded in solving it by changing punctuation around.
Thanks for any suggestions.
You are using ' characters to delimit your JavaScript string and the HTML attribute value it is embedded in.
This results in:
onclick= 'follow('
Either:
Avoid intrinsic event attributes (which you should be doing anyway, unobtrusive JavaScript is recommended).
Use different characters to delimit the attribute value (onclick="follow('1');") or string (onclick= 'follow("1");')
Use HTML entities to include the quote mark you are using in the data for the attribute value (onclick= 'follow('1');')
I'm using Ajax calls to get some variables data from the DB.
some of my data stored on the database contains double quotes (").
when I'm trying to display the variable :
value="'+ucontent+'"
the string gets cut in the middle (of course)
I have tried using escape() but im getting a non readable result - something with %4%2 etc...
how can i escape the double quotes in the variable and still keep a readable string...
BTW - I'm using UTF8 characters.
decodeURIComponent()
might be helpful
what escape actually does is replace some characters with a hexadecimal escape sequence.
That is the reason why you are getting unreadable string like %4%2.
Depends on what language in server side you are using.
If it is php, then use json_encode to encode the response string.
If it is ruby(rails), then use escape_javascript to escape the response string.
You can just use \" if you don't use an encoder. See this.
I use the following jquery code to load some date on a specific event from external file:
$("#container").load("/include/data.php?name=" + escape(name));
if the javascript "name" variable contains unicode characters it sends some encoded symbols to data.php file, something like this: %u10E1
How can I deal with this encoded symbols? I need to convert them back to readable one.
When I remove the escape function and leave just "name" variable the code doesn't work any more...
Can anyone please help?
If you want to do this manually, then you should be using encodeURIComponent, not escape (which is deprecated)
The jQuery way, however, would be:
$("#container").load("/include/data.php", { "name": name });
Either way PHP should decode it automatically when it populates $_GET.
This may help you.
javascript - how to convert unicode string to ascii