What do you do when you already have single and double quotes in a URL, but then you need to wrap that URL in quotes?
For example:
<script src="http://(some url text)xpath='//*[#id="node-1075"]/div/div[1]/div/div/p[2]'"></script>
The node ID is wrapped in quotes, if I put the URL alone in the address bar it works, but as soon as it gets wrapped in quotes it doesn't, I can't escape the quotes either or else it will fail, what do I do?
You should be able to replace the double quotes with: %22
And the single quotes with: %27
So your URL would be:
"http://(some url text)xpath=%27//*[#id=%22node-1075%22]/div/div[1]/div/div/p[2]%27"
Here is the complete list of ASCII Encoding http://www.w3schools.com/tags/ref_urlencode.asp
You need to escape them; usually you write (inside HTML files) double quotes first, then single quotes (the opposite in .js files, but that's my personal style); whenever you need the same in between you need to escape it.
Example:
document.getElementById("some").innerHTML = "<img src='something' onmouseover='change(\"ex1\")' />";
Notice that using the JavaScript escape character (\) isn't enough in an HTML context; you need to replace the double-quote with the proper XML entity representation, ".
Example:
Do It!
In your case, I would recommend to URL encode "the URL" though.
Related
I need to escape characters to avoid XSS. I am using org.apache.commons.lang.StringEscapeUtils.escapeHtml(String str), which helps in the following way:
Raw input
" onmouseover=alert() src="
After escaping HTML becomes
" onmouseover=alert() src="
However, there are cases in which the reflected input is trapped in single quotes, such as:
test'];}alert();if(true){//
In that particular case, escaping HTML does not have any effect. However, org.apache.commons.lang.StringEscapeUtils also has a method called escapeJavascript(String str), which would convert the input into:
test\'];}alert();if(true){\/\/
The question here is, would you sanitize your input by escaping HTML first and then Javascript? The other would be to replace the single quote character with \' manually.
Any help will be greatly appreciated!
As #gabor-lengyel mentioned I should be able to escape a single quote with an html encoder.
The problem I had is that I was using org.apache.commons.lang.stringescapeutils.escapeHtml and it is not capable of escaping single quotes with the corresponding HTML entity. I am now using org.springframework.web.util.HtmlUtils.htmlEscape, which is capable of dealing with both double and single quotes.
Thank you #gabor-lengyel again for your help!
This url throws a missing ) after argument error. It is being dynamically generated by PHP. I cannot figure out the correct sequence/placement of single and double quotes to render it.
Cards
The particular effect desired is to onmouseover insert an image into .menu-image li. All I can figure out is that the img src with the quotes (I've tried single and double) is not liked and throws the argument error.
Try escaping the incorrect quotes with \ or \\.
I.e. html('<img src=\'cards_1.png\' />');
Alternatively, you can just use ". An URL encoder should have done this for you automatically.
A very popular error btw. is to not encode every & in an URL as &. Browsers usually guess right what was intended though, so people never learn. But the link
example
is actually incorrect and should be
example
Now if you had been using an URL encoder instead of just "printing" the string, it should automatically have converted your double quote to & and probably saved you some headaches.
Looks like you need to escape the innermost single quotes like so:
<a href="cards.html" onmouseover="jQuery('.menu-image li').html('<img src=\'cards_1.png\' />');
You need to write this:
Cards
...otherwise your browser can't distinguish if the apostrophes belong to the <img tag or the html( command
Use encoded quotes for the <img/> tag:
Cards
I want to use JQ to print to a div on my page. The string I want to print with contains HTML including apostrophes and double apostrophes.
Is there a plugin or function to escape this so that the string doesnt break the js variable? There may be the case that I can't escape all of the apostrophes and double apostrophes in the incoming data using a backslash, so I'm looking for a function that can do it.
EG;
var replacement = 'This content has an apostrophe ' and a double apostrophe "';
$("#overwrite").text(replacement);
TIA
If you wanted to type out a string that is assigned to a variable like in your example above, then just escape it yourself.
For example, if I know my data will have apostrophes, then I wrap it in quotes (what you are calling double apostrophes) and use the HTML shortcut for quotes " or you can use a backslash to escape the quote \". Either way works. So your example above would become:
var replacement = "This content has an apostrophe ' and a double apostrophe "";
If the user is typing in the string or you are getting data from a feed, then it would be best to use the javascript replace function to make sure the quotes are escaped, like this:
var text = $("input").val().replace(/\"/g,""");
There is no need to escape incoming data, as it is already a string.
The only reason you need to escape apostrophes and double apostrophes in JavaScript source is due to the fact the JavaScript engine has to determine where the string starts and ends.
For instance, assuming you have a div#source containing the text "Hi there, what's up!", it is perfectly safe to do $("#overwrite").text($("#source").text()).
I have a MVC view in which I have to pass a string variable to JavaScript, but that string variable has single quotes in it ('). I am trying to do something like this
<a onclick="JavaScript:AddressHandler.ProcessAddress('<%= homeAddress %>');"
class="button-link">change</a>
homeAddress has single quotes which I have to workaround somehow so that I can pass the complete value of it to the JavaScript.
You can use Ajax helper: Ajax.JavaScriptStringEncode(string strToEncode)
To escape a string to be a Javascript string literal, you replace backslash with double backslashes, and the string delimiter with a backslash and the delimiter:
<a onclick="AddressHandler.ProcessAddress('<%= homeAddress.Replace(#"\", #"\\").Replace("'", #"\'") %>');" class="button-link">change</a>
Note: The javascript: protocol is used when you put script in an URL, not as an event handler.
Edit:
If the script also contains characters that need HTML encoding, that should be done after escaping the Javascript string:
<a onclick="<%= Html.Encode("AddressHandler.ProcessAddress('" + homeAddress.Replace(#"\", #"\\").Replace("'", #"\'") +"');") %>" class="button-link">change</a>
So, if you don't know what the string contains, to be safe you need to first escape the string literal, then HTML encode the code so that it can be put in the attribute of the HTML tag.
You can write a method that escapes all single quotes (and other characters if needed) with a backslash so it is not misunderstood by javascript.
You'll want to encode homeAddress as a URL. MVC has a built in helper to do this: UrlHelper.Encode(string url) - it should replace a single quote with %27
I don't have time to test it, but look at HtmlHelper.Encode(string s). It might handle the escaping for you.
i'm trying to pass a php defined string with spaces to a javascript function, so that i can append to a query string. However, the function only works when there are NO spaces, and does not even execute when there are spaces -- by testing with alert().
is there a way I can pass strings with spaces into javascript functions, so that i can eventually do an escape(), and then append to my query string? (using alert() in this example)
.php file
<a onClick=showUser('<?php echo $stringwithspaces; ?>')>click here</a>
.js file
function showUser(str)
{
alert (str);
}
if I could only do something like... onClick=showUser(escape('<?php echo $deptname; ?>'))... that would be awesome, but that didn't work. Any help would be much appreciated! Thanks!
The problem is you didn't quote the attribute value. You can leave quotes off of attribute values only if the value doesn't contain spaces, otherwise the HTML processor can't tell when an attribute ends. Even so, it's not recommended; you should always quote HTML attributes.
user
should work. The call to addslashes escapes quotes, which would otherwise cause another problem (ending the attribute or string argument of showUser too soon).
Yes you can you are missing " in you xml attribute field:
Each attribute must have a starting and an ending "
myField="blabla ..."
onClick="showUser(escape('<?php echo $deptname; ?>'))"
Try the Unicode escape sequence for a space character, '\u0020'.