2

I have some addHtml JavaScript function in my JS code. I wonder how to escape HTML/JS code properly. Basically, what I am trying right now is:

addHtml("<a onclick=\"alert(\\\"Hello from JS\\\")\">click me</a>")

However, that doesn't work. It adds the a element but it doesn't do anything when I click it.

I don't want to replace all " by ' as a workaround. (If I do, it works.)

Improve this question
9
  • 1
    Why 3 backslashses? Just put one backslash before each double quote inside your method "\ Commented Jul 6, 2010 at 19:59
  • 1
    One wonders why you are using string literals to add an HTML element to the page instead of creating an element in the dom and attaching an event to it? Commented Jul 6, 2010 at 20:03
  • @Marko: Then it would not be valid HTML. Commented Jul 6, 2010 at 20:03
  • @Darko: This is just for testing and I reduced the testcase to put it here on SO. Even if I would solve this particular task in a way where I go around the problem, I would still not have solved the problem itself because I will need it elsewhere. Commented Jul 6, 2010 at 20:05
  • You say it adds the a element. does the onclick get put onto that element with nothing in it? or is the onclick missing all together? Commented Jul 6, 2010 at 20:11

6 Answers 6

Reset to default
7

I wonder how to escape HTML/JS code properly.

To insert string content into an HTML event handler attribute:

(1) Encode it as a JavaScript string literal:

alert("Hello \"world\"");

(2) Encode the complete JavaScript statement as HTML:

<a onclick="alert(&quot;Hello \&quot;world\&quot;&quot;">foo</a>

And since you seem to be including that HTML inside a JavaScript string literal again, you have to JS-encode it again:

html= "<a onclick=\"alert(&quot;Hello \\&quot;world\\&quot;&quot;\">foo<\/a>";

Notice the double-backslashes and also the <\/, which is necessary to avoid a </ sequence in a <script> block, which would otherwise be invalid and might break.

You can make this less bad for yourself by mixing single and double quotes to cut down on the amount of double-escaping going on, but you can't solve it for the general case; there are many other characters that will cause problems.

All this escaping horror is another good reason to avoid inline event handler attributes. Slinging strings full of HTML around sucks. Use DOM-style methods, assigning event handlers directly from JavaScript instead:

var a= document.createElement('a');
a.onclick= function() {
    alert('Hello from normal JS with no extra escaping!');
};
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Great answer, bobince. I basically came up with my answer of addHtml("<a onclick=\"alert(&quot;Hello from JS&quot;)\">click me</a>"); by trial and error, but this makes clear why it worked.
2

My solution would be

addHtml('<a onclick="alert(\'Hello from JS\')">click me</a>')

I typically use single quotes in Javascript strings, and double quotes in HTML attributes. I think it's a good rule to follow.

Improve this answer

5 Comments

I may want to use more complex JS code snippets there and I want to escape it in a general way that it always works. Just replacing all " by ' would probably not work in all cases.
You would replace all ' with \'
And how would I replace the " if there are any in the JS code? What if I want to put the full addHtml(...) again as the onclick code? (I need a general solution which works for just any code.)
The odds are pointing to the idea that you have made a poor design decision.
I found, when trying to solve exactly this problem, that on an older version of FireFox that you had to be careful which way around you did the quotes: double inside single, or single inside double? The former didn't always work! Avoiding the need to handle this is better.
2

How about this?

addHtml("<a onclick=\"alert(&quot;Hello from JS&quot;)\">click me</a>");

It worked when I tested in Firefox, at any rate.

Improve this answer

2 Comments

Ah thanks, so just replacing all " by &quot; and it will always work? Well, at least all cases I have tested so far. And tested in Webkit.
I came up with this final solution now (which does exactly that): pastebin.com/QQig9y82
1 
addHtml("<a onclick='alert(\"Hello from JS\")'>click me</a>")
Improve this answer

2 Comments

That's right it's not a general solution, it's just a solution to the string you provided. I think you have to escape the string before passing it to the function.
Yes, that was what my question is about. :) How do I escape the string.
0

The problem is probably this...

As your code is now, it will add this to the HTML 

<a onclick="alert("Hello from Javascript")"></a>

This is assuming the escape slashes will all be removed properly.

The problem is that the alert can't handle the " inside it... you'll have to change those quotes to single quotes.

addHtml("<a onclick=\"alert(\\\'Hello from JS\\\')\">click me</a>")

That should work for you.

Improve this answer

Comments

-1

What does the final HTML rendered in the browser look like ? I think the three slashes might be causing an issue .

Improve this answer

1 Comment

Yes it does not work, that is what the question is all about. :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.