How to escape quotes and already escaped quotes in PHP before passing to Javascript?
Solution 1
You could escape any quotes in php using htmlspecialchars or htmlentities, however this doesn't solve the issue of single quotes, even if ENT_QUOTES is set.
Doing a little testing I see the following should work, although it may not be very elegant:
$name = htmlentities(str_replace("'", "\'", $event->getName()));
$response = "<img src=\"images/action_delete.gif\" onClick=\"confirmDelete('" . $name . "')\"/>";
Hope that helps
Solution 2
Very safe alternative which also gives you the hand cursor for free
<script>
function confirmDelete(idx) {
if (confirm(document.getElementById("msg"+idx).innerHTML)) {
location="delete.php?idx="+idx;
}
return false
}
<span id="msg1" style="display:none"><?PHP echo $event->getName(); ?></span>
<a href="#" onClick="return confirmDelete(1)"><img src="images/action_delete.gif" style="border:0" /></a>
Solution 3
Process the string using json_encode(). That will ensure it's a valid JavaScript expression.
Lawyerson
Updated on March 16, 2020Comments
-
Lawyerson about 4 years
There are many questions about escaping single and double quotes but I have had no luck finding an answer that solves my particular problem.
I have a PHP function that dynamically returns an image with an onClick event that calls a Javascript function with the name of an object as an argument like so:
$response = "<img src=\"images/action_delete.gif\" onClick=\"confirmDelete("'" . $event->getName() . "'")\"/>"";The Javascript function should display a confirmation dialogue at some point like this:
confirm('Delete event ' + name + ' ?')How should I format $response in PHP to make sure the Javascript confirm won't mess up when the user enters a name containing ' or " or \' or \" ?
-
Lawyerson about 13 yearsThank you for the suggestion ! This looks like something I might use in the future but I'm afraid it requires too drastic of a rewrite in my current situation. I was hoping to use some kind of function to simply escape those 4 character(combinations) like the json_encode() ThiefMaster suggested.
-
Lawyerson about 13 yearsIs there anything wrong with the way in which I've used and escaped quotes in my example that would cause this not the work when simply applied to the $event->getName() ?
-
Lawyerson about 13 yearsI expanded your code a bit.
htmlentities(str_replace("'", "\'",str_replace("\'","\\\'",$input)));so the dialogue actually shows \' if the user entered \'. I'm not sure how to do the same for \" but at least this prevents the confirm dialogue from messing up. Thanks for the suggestion. -
nicja about 13 yearsAh, I didn't think about user's entering escaped quotes. The following should take care of all 4 cases, and also combines it all into 1 str_replace() call. You probably dont need the htmlentities() call if you're also escaping the " chars, but it may be handy to handle & and other special chars. try:
str_replace(array("\'", '\"', '"', "'"), array("'", '"', '\"', "\'"), $input); -
Lawyerson about 13 yearsWouldn't replacing "\'" with "'" and then "'" by "\'" just switch the problem around ? Or does the function not work in that way ? Perhaps my question wasn't entirely clear. I don't want to sanitize the input in a traditional sense, I actually want the alert to display what the user entered exactly as they entered it. I'm particularly having a hard time replacing both the backslash and double quote in \" so I can pass it to javascript exactly like that.
-
Lawyerson about 13 years
htmlentities(str_replace(array("\'", '\"', '"', "'"), array("\\\'", '\\"', '\"', "\'"), $input));Seems to accomplish what I am trying to do, though I can't really explain why the htmlentities makes a difference. -
Matt K over 7 yearsAny reason why you can't just use the
addslashes()function?
