There are many questions about escaping single and double quotes but I have had no luck finding an answer that solves my particular problem.
I have a PHP function that dynamically returns an image with an onClick event that calls a Javascript function with the name of an object as an argument like so:
$response = "<img src=\"images/action_delete.gif\" onClick=\"confirmDelete("'" . $event->getName() . "'")\"/>"";
The Javascript function should display a confirmation dialogue at some point like this:
confirm('Delete event ' + name + ' ?')
How should I format $response in PHP to make sure the Javascript confirm won't mess up when the user enters a name containing ' or " or \' or \" ?
There are many questions about escaping single and double quotes but I have had no luck finding an answer that solves my particular problem.
I have a PHP function that dynamically returns an image with an onClick event that calls a Javascript function with the name of an object as an argument like so:
$response = "<img src=\"images/action_delete.gif\" onClick=\"confirmDelete("'" . $event->getName() . "'")\"/>"";
The Javascript function should display a confirmation dialogue at some point like this:
confirm('Delete event ' + name + ' ?')
How should I format $response in PHP to make sure the Javascript confirm won't mess up when the user enters a name containing ' or " or \' or \" ?
Share Improve this question asked Apr 13, 2011 at 9:44 EENNEENN 9191 gold badge7 silver badges25 bronze badges4 Answers
Reset to default 8You could escape any quotes in php using htmlspecialchars or htmlentities, however this doesn't solve the issue of single quotes, even if ENT_QUOTES is set.
Doing a little testing I see the following should work, although it may not be very elegant:
$name = htmlentities(str_replace("'", "\'", $event->getName()));
$response = "<img src=\"images/action_delete.gif\" onClick=\"confirmDelete('" . $name . "')\"/>";
Hope that helps
Process the string using json_encode(). That will ensure it's a valid JavaScript expression.
Very safe alternative which also gives you the hand cursor for free
<script>
function confirmDelete(idx) {
if (confirm(document.getElementById("msg"+idx).innerHTML)) {
location="delete.php?idx="+idx;
}
return false
}
<span id="msg1" style="display:none"><?PHP echo $event->getName(); ?></span>
<a href="#" onClick="return confirmDelete(1)"><img src="images/action_delete.gif" style="border:0" /></a>
Another solution worked for me, if you have single quotes, double quotes, slashs and backslashes in your input string :
$output = htmlentities(str_replace(array(chr(92), "'"), array(chr(92) . chr(92), "\'"), $input));
with something like :
onClick=\"confirmDelete('" . $output . "')\"
Thanks to nicja !