Html with javascript in php seems to be conflicting - javascript

The code i want to get into a php statement is
<a href="javascript:void();"
onclick="document.loginfrm.user.value="username";
document.loginfrm.pass.value="password";
document.loginfrm.submit();">login
</a>
So what i would normally do is just surround it with an echo and quotation marks: an then replace any quotation marks in the statement with these --> ('), so that's what i did... and for some reason it seems to misinterpret the sentence severely. Here is the code i enter in php.
echo "<a href='javascript:void();'
onclick='document.loginfrm.user.value='username';
document.loginfrm.pass.value='password';
document.loginfrm.submit();'>". login ."</a>";
And this is how the browser interprets it:
<a href="javascript:void();
" onclick="document.loginfrm.user.value=" username';=""
document.loginfrm.pass.value="password" ;="" document.loginfrm.submit();'="">
login</a>
So yes is there any way around displaying html within php that could get around this problem

Can you try this, added \
echo "<a href=\"javascript:void();\"
onclick=\"document.loginfrm.user.value='username';
document.loginfrm.pass.value=password';
document.loginfrm.submit();\">login </a>";

You need to escape it properly. Try
echo "<a href=\"javascript:void();\"
onclick=\"document.loginfrm.user.value='username';
document.loginfrm.pass.value='password';
document.loginfrm.submit();\">". $login ."</a>";

You're not escaping your quotes. Try:
echo "<a href=\"javascript:void();\"
onclick=\"document.loginfrm.user.value='username';
document.loginfrm.pass.value='password';
document.loginfrm.submit();\">". login ."</a>";
which should produce:
<a href="javascript:void();"
onclick="document.loginfrm.user.value='username';
document.loginfrm.pass.value='password';
document.loginfrm.submit();">login
</a>
As you have it now, you're closing the onclick attribute when you hit the quote at the start of the "username" value, which means the browser is interpreting username as another attribute and it just gets more confused from there...
Edit: sorry, fixed the html, rather than the php code...

You should do something like this..
<a href="javascript:void();"
onclick="document.loginfrm.user.value='username';
document.loginfrm.pass.value='password';
document.loginfrm.submit();">login
</a>
and with php it should be
echo '<a href="javascript:void();"
onclick="document.loginfrm.user.value=\"username\";
document.loginfrm.pass.value=\"password\";
document.loginfrm.submit();">
login
</a>';

Related

echo javascript function in php

I can not call the javascript function with the following javascript link. What is the problem here anyone can help me here please.
$buttonMessage = '
<a class="drupalchat-profile-un drupalchat_cng"
href="javascript:void(0)"
onclick="javascript:chatWith('.$pUsername.','.$profile_uid.','.$UserAvatar.','.$onof.')">
</a>';
You've probably some JS errors, and need to add single quotes around your values :
$buttonMessage = '
<a class="drupalchat-profile-un drupalchat_cng"
href="javascript:void(0)"
onclick="javascript:chatWith(\''.$pUsername.'\',\''.$profile_uid.'\',\''.$UserAvatar.'\',\''.$onof.'\')">
</a>';

How do I use PHP to encode a string containing quotes to make it safe for inline 'onclick'?

I have a variable in a database that could potentially contain single or double quotes. When I retrieve the variable from the database, it is written with PHP into an inline "onclick" hander:
echo '<li><a onClick="a4e.duplicate_assignment('.$this_assignment['id'].',\''.htmlspecialchars($this_assignment['title'],ENT_QUOTES).'\',\'/assignments/'.$type.'/\');" href="javascript:void(0);">';echo '<i class="fa fa-copy"></i> Duplicate assignment</a></li>';
This produces HTML that looks like this in the page source:
<li><a onClick="a4e.duplicate_assignment(92,'ELLLO - 'If I had a million dollars'','/assignments/cloze/');" href="javascript:void(0);"><i class="fa fa-copy"></i> Duplicate assignment</a></li>
However, clicking the link produces the following error in the console:
Uncaught SyntaxError: missing ) after argument list
I thought using the PHP function "htmlspecialchars" would mitigate this issue, but it doesn't seem to work.
Any help greatly appreciated.
P.S. It is not possible in this case to use a Javascript "onclick" handler - it has to be inline HTML. Also, it is not possible to ban the use of quotation marks in the variable value.
Try using the function:
addslashes()
EDIT: This method will take care of the quotes in the string itself, but may not be suitable if you need to retain quotes for HTML insertion. Read the docs carefully.
http://php.net/manual/en/function.addslashes.php
its because your Unicode (') is also being treated as '
use this
<li><a onClick="a4e.duplicate_assignment(92,'ELLLO - \'If I had a million dollars\'','/assignments/cloze');" href="javascript:void(0);"><i class="fa fa-copy"></i> Duplicate assignment</a></li>
Use json_encode to convert a value to a JavaScript literal (with all necessary escaping).
Use htmlspecialchars to convert a value (such as a JavaScript program) to something safe to place in an HTML attribute value.
$id = $this_assignment['id'];
$title = $this_assignment['title'];
$url = "/assignments/$type/";
$js_id = json_encode($id);
$js_title = json_encode($title);
$js_url = json_encode($url);
$js = "a4e.duplicate_assignment($js_id, $js_title, $js_url);
$html_js = htmlspecialchars($js, ENT_QUOTES);
?>
<li>
<a href="javascript:void(0);" onclick="<?php echo $html_js; ?>">
<i class="fa fa-copy"></i>
Duplicate assignment
</a>
<li>
A better approach would be to use progressive enhancement and non-inline JS. You've ruled that out, but you should try to remove that restriction.
$id = $this_assignment['id'];
$title = $this_assignment['title'];
$url = "/assignments/$type/";
$html_id = htmlspecialchars($id, ENT_QUOTES);
$html_title = htmlspecialchars($title, ENT_QUOTES);
$html_url = htmlspecialchars($url, ENT_QUOTES);
?>
<li>
<a href="<?php echo $html_url; ?>" data-title="<?php echo $html_title; ?>" data-id="<?php echo $html_id; ?>">
<i class="fa fa-copy"></i>
Duplicate assignment
</a>
<li>
<!-- and later -->
<script>
document.querySelector("a").addEventListener("click", duplicate_assignment_handler);
function duplicate_assignment_handler(e) {
e.preventDefault();
a4e.duplicate_assignment(this.dataset.id, this.dataset.title, this.href);
}
</script>
</script>

javascript onClick is not not working in php

I am echoing a html form with php which has the following lines:
<a class='btn btn-sm btn-danger pull-right' onClick=return confirm('Delete This account?'); href='".url('deleteuser/'.$order->id)."' >Delete</a>
This correctly goes to the url specified. However, the onClick method is never triggered. Any help is much appreciated.
EDIT: Clarified pure HTML versus echo string.
Put quotes around the onclick attribute value.
i.e. in pure HTML:
onClick="return confirm('Delete This account?');"
So if you are outputting this via echo, you need to escape the respective type of quote characters with a backslash.
echo 'onClick="return confirm(\'Delete This account?\');"';
or
echo "onClick=\"return confirm('Delete This account?');\"";
Upvoted #faintsignal answer because it is correct, your confusion of single quotes is causing, however a much better way to do this is separate the PHP from the HTML:
<?php
foreach($someItem as $someKey => $order){
?>
<a class="btn btn-sm btn-danger pull-right" onClick="return confirm('Delete This account?');" href="<?php echo url('deleteuser/'.$order->id); ?>">Delete</a>
<?php
}
?>
Just providing an alternative, and it's generally considered good practice because you have clear separation of duties and its easier to maintain.
EDIT: provided a super generic example of using foreach, obviously you can mod for your setup but it shows you can separate the function and it will run just fine.

Two times same onclick function - only one works

I am desperate on this.
I create a list with an image and some description and other data.
The image and the description should be linked the same way.
The description link(onclick event) work fine:
<?php echo (string)$flat.'<br />'; ?>
But around the image it doesn't:
<a href="#" onclick="show_object('<?php echo $itemId.','.$identifier; ?>');return false;">
<img src="<?php echo (string)$image_url; ?>" class="list_image"></img>
</a>
Why? I do not understand, I tried several other ways, with including the onclick into the image, making a span out of the a.. Nothing works.
If I click on the image, I see in the javascript console that the request get started, but it does not load the page.
I do not understand since the two requests are exact same and immitedly behind another (inside a table)
please help!
I think you are missing some quotes:
<a href="#" onclick="show_object('<?php echo $itemId."','".$identifier; ?>');return false;">
<img src="<?php echo (string)$image_url; ?>" class="list_image"></img>
</a>
In your version, you call show_object('someitemid,someidentifier') but you want to call show_object('someitemid','someidentifier') as you do in your first <a>-tag.
How is that "exactly the same" ?
"show_object('<?php echo $itemId."','".$identifier; ?>'); return false;"
"show_object('<?php echo $itemId.','.$identifier; ?>');return false;"
I suggest you double check the quotes, or copypaste the working one into the other, then come back to us if it's not fixed :)

quick question about onclick

Can i do like this:
<a href="#" id="thelink" onclick="window.parent.OpenVote("<? echo $_GET['id']; ?>", '<? echo $rowData['username']; ?>');">
It doesnt seem to work..
You can, but you need to use single quotes to pass an argument or else you'll escape the onclick attribute.
<a href="#" id="thelink" onclick="window.parent.OpenVote('<? echo $_GET['id']; ?>', '<? echo $rowData['username']; ?>');">
The first issue is the quotes inside the value for the onclick attribute. You either have to html encode them using " or use apostrophes instead:
<a href="#" id="thelink" onclick="window.parent.OpenVote('<? echo $_GET['id']; ?>', '<? echo $rowData['username']; ?>');">
Then you have to consider the values that you put in the code.
First you have to encode the values so that they can be string literals in the Javascript code. If there can be any backslash characters in them, you have to replace them by double backslashes, then if there can be any apostrophes in them, you have to escape them by putting a backslash before them (i.e. replace each apostrophe with a backslash and an apostrophe).
Then you have to encode the Entire script so that it can be a value in an HTML tag. As there are no characters that need escaping in the static code, you only have to encode the values that you put in the code. You have to HTML encode the values so that any characters like <, >, & and " are replaced with HTML entities.
Probably due to extra quotes in the onclick statement.
Try replacing the double quotes around the id param with single quotes:
<a href="#" id="thelink" onclick="window.parent.OpenVote('<? echo $_GET['id']; ?>', '<? echo $rowData['username']; ?>');">

Categories