1

I have following script printed from PHP . If some one has a single quote in description it shows javascript error missing ; as it thinks string terminated .

print   "<script type=\"text/javascript\">\n
    var Obj = new Array();\n
     Obj.title        = '{$_REQUEST['title']}'; 
     Obj.description     = '{$_REQUEST['description']}';
     </script>";

Form does a post to this page and title and description comes from textbox.Also I am unable to put double quotes around {$_REQUEST['title']} as it shows syntax error . How can I handle this ?

Improve this question

3 Answers 3

Reset to default
3

a more clean (and secure) way to do it (imo):

<?php 
//code here

$title = addslashes(strip_tags($_REQUEST['title']));
$description = addslashes(strip_tags($_REQUEST['description']));
?>
<script type="text/javascript">
 var Obj = new Array();
 Obj.title = '<?php echo $title?>'; 
 Obj.description = '<?php echo $description?>';
</script>
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Yeah. I think strip_tags() does not add security here. All it will do is add another possibility to break user input (as it might eat stuff like < 200)
I think a pure addslashes() should be safe enough. I can't think of a way to break that (although @Mike shows a potential one above)
actually, I think you're right: It is indeed worth adding strip_tags() to prevent breaking out from the script as @Mike shows underneath my answer. +1
0

You also need to be careful with things like line breaks. JavaScript strings can't span over multiple lines. json_encode is the way to go. (Adding this as new answer because of code example.)

<?php

$_REQUEST = array(
    'title'       => 'That\'s cool',
    'description' => 'That\'s "hot"
                      & not cool</script>'
);

?>

<script type="text/javascript">
 var Obj = new Array();
 Obj.title = <?php echo json_encode($_REQUEST['title'], JSON_HEX_TAG); ?>;
 Obj.description = <?php echo json_encode($_REQUEST['description'], JSON_HEX_TAG); ?>;

 alert(Obj.title + "\n" + Obj.description);
</script>

Edit (2016-Nov-15): Adds JSON_HEX_TAG parameter to json_encode calls. I hope this solves all issues when writing data into JavaScript within <script> elements. There are some rather annoying corner cases.

Improve this answer

Comments

-1

Use the string concatenation operator:

http://php.net/manual/en/language.operators.string.php

print   "<script type=\"text/javascript\">\n
    var Obj = new Array();\n
     Obj.title        = '".$_REQUEST['title']."'; 
     Obj.description     = '".$_REQUEST['description']."';
     </script>";
Improve this answer

2 Comments

Will not fix the OP's problem
I was under the impression that the second part of the question was a php syntax error caused by typing something like this: Obj.title = '"{$_REQUEST['title']"';

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.