1

I'm encountering a problem involving escaping character that I think it's not simple at all. If this is done in javascript, nothing to say but the context is using echo command (in PHP) to write javascript code like this:

echo "<script>document.getElementById('spanID').innerHTML=\"$x\"</script>";

$x is a variable in PHP environment, which can contain both single and double quotes. What I do here is: 1. Keep the $x not change, and if $x contains any double quote, the above code won't work, the text echoed may look like:

<script>document.getElementById('spanID').innerHTML="leftside"rightside"</script>;

I supposed $x = leftside"rightside, and you can see it surely won't work.

  1. Escape the double quotes in $x (change all " to 

    "
    ), then the text echoed may look like this:

    document.getElementById('spanID').innerHTML="leftside

    "
    rightside";

The 

"
won't be converted to " when it is assigned to innerHTML attribute of a Span (for e.g), so instead of my want, the innerHTML of my SPAN should be leftside"rightside, it will be leftside
"
rightside.

If I change the " to ' in the original echo, like this:

echo "<script>document.getElementById('spanID').innerHTML='$x'</script>";

It is the same because $x here can contain both single and double quotes.

I don't find out any other ways to escape quotes in this case. Could you please help me out?

Thanks!

Hopeless
  • 4,397
  • 5
  • 37
  • 64

1 Answers1

2

You need to put between the quotes a string that is a valid string of JavaScript containing valid (and safe) HTML.

Your best option is to not use innerHTML and instead use document.createTextNode which means you only need to slash-escape the content.

Otherwise, you need to HTML escape, then slash escape the content. For correctness, your slash-escaping function should escape at least double-quotes, backslashes, and all JavaScript newlines (U+A, U+D, U+2028, U+2029). I believe PHP's addslashes does not handle U+2028 or U+2029 by default but How to escape string from PHP for javascript? has some alternatives.

To put it all together:

$x_escaped = json_encode($x, JSON_HEX_TAG);

echo "<script>document.getElementById('spanID').appendChild(document.createTextNode($x_escaped))</script>"

should do it. The JSON_HEX_TAG makes sure that $x_escaped will not contain </script> or any other content that prematurely ends your script tag. </script> will instead become \u003c/script\u003e.

Community
  • 1
  • 1
Mike Samuel
  • 118,113
  • 30
  • 216
  • 245
  • 1
    `innerText` is far not the best property for compatibility reasons. – VisioN Dec 05 '12 at 16:12
  • He :) But how you pass `$x` to `document.createTextNode()` method? – VisioN Dec 05 '12 at 16:15
  • Your suggestion about innerText may be what I'll try. I'm sorry for my question, I want to type " ; (there's no space before the ;) but it turned to " after I submitted my question. Could you please explain more to me why I need to HTML escape here? All I want to escape are quotes, not all HTML elements, and I did the escape myself, which is simpler, or my escape is not what HTML escaping function do to quotes only (I'm talking about only quotes here). Thanks! – Hopeless Dec 05 '12 at 16:18
  • @KingBoy, please see my edit. I think the code I added does what you want. – Mike Samuel Dec 05 '12 at 16:20