0

I'm looking for the best way to escape some Javascript text in PHP, and json_encode is the wrong tool for the job.

The problem comes from this line: 

echo " onclick=\"SwitchDiv('" . $option . "')\"";
If there's an apostrophe in $option, this is a juicy ball of client-side fail. But doing a straight json_encode (which works perfectly well in other contexts) doesn't help: 
echo " onclick=\"SwitchDiv(" . json_encode($option) . ")\"";
That creates an output string of onclick="SwitchDiv("athlete's foot")", resulting in premature termination of the onclick value. (Which also happens if I enclose the onclick value in single quotes.)

Is there an elegant way around this? Should I just funnel the json_encode output through a regex that will escape the single quotes?

Improve this question
1
  • I would suggest cleaning up the $option value as you allude to at the end of your question. Commented Jun 21, 2012 at 15:22

1 Answer 1

Reset to default
3

json_encode is the right tool for the job. Your problem arises from the fact that you are also including that Javascript in an HTML attribute, thus it also needs to be htmlspecialchars-encoded.

echo " onclick=\"SwitchDiv(" . htmlspecialchars(json_encode($option)) . ")\"";
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.