xandros — 2010-07-02T08:56:03-04:00 — #1
here's the issue, but first a foreword.
Everything is fine until there are single or double quotes INSIDE the 'string' value. Having a double quote inside the string, even JS escaped leads to the onclick argument value being cut :
<button onclick=<font color='"Red"'>"DoSomething('str\\"</font>ing')">
If you replace the double quote by '"' then you don't get a double quote inside DoSomething (you could always replace " by " in JS).
Similar problem if you choose to enclose the onclick argument in single quotes and happen to have a single quote JS escaped inside the string.
So, is there any other way of dealing with potential presence of single AND double quotes in the 'string' value, other than replacing them before by ' and " and then replacing them back inside DoSomething ?
r51 — 2010-07-02T15:41:20-04:00 — #2
If you're happy with onclick attributes, then how about your own custom attributes?
<input type="button" value="Click Me" myAttr='Hi"There' onclick="doThis(this.getAttribute('myAttr'));" />
felgall — 2010-07-02T16:11:09-04:00 — #3
If you really can't spare the couple of minutes to do that then what you need to use is:
r51 — 2010-07-02T16:19:57-04:00 — #4
Oh. Yep. That\'s easier. Don\'t use custom attributes!
xandros — 2010-07-02T17:51:34-04:00 — #5
Ok thanks to everyone, but the only thing I can do in the context of where it is, is what r51 suggested (I actually implemented this right after my post)...
Thanks to felgall too but I think you missed the fact that when using your example, then the inside string cannot have single quotes... Which it can have sometimes too ...
Anyway, thanks to you all for your replies ! The most versatile way with the restrictions that apply is to use a custom html attribute indeed ...
felgall — 2010-07-02T19:21:32-04:00 — #6
xandros — 2010-07-03T03:56:09-04:00 — #7
Well, if you just escape the double quotes to " and replace " back by " inside the called JS function, you can actually allow the contents of the custom HTML attribute to have single AND double quotes.
felgall — 2010-07-03T18:17:03-04:00 — #8
xandros — 2010-07-06T05:23:39-04:00 — #9
As I stated in the very first message, i'm aware of this, and the best practice rules for JS and whatnot cannot be applied in every environment because there are some other reasons to sometimes do otherwise. anyway I do agree about " but since it is output inside a custom html attribute ...
felgall — 2010-07-06T15:57:46-04:00 — #10