I am not finding a solution on this one using JavaScript (to utilize localStorage) in a JSP.
Trying to pass something with apostrophe. I have done a .replaceAll() and replaced the ' with ' and it still passes it as an '.
I have also tried a .split("'") and replaced the apostrophe with:
(\' , ' , \', '' , ''' and '\'')
All of these just pass an apostrophe to the function (what I see when I hover over the link) like this:
<a href="saveJob('<%=id%>','<%=title%>','<%=a%>' + '\'' + '<%=b%>','<%=date%>')">Save job</a>
With a and b being the two split substrings but with no effect. I do notice that spaces are converted into %20, but that's little fort. Any other ideas?
I am not finding a solution on this one using JavaScript (to utilize localStorage) in a JSP.
Trying to pass something with apostrophe. I have done a .replaceAll() and replaced the ' with ' and it still passes it as an '.
I have also tried a .split("'") and replaced the apostrophe with:
(\' , ' , \', '' , ''' and '\'')
All of these just pass an apostrophe to the function (what I see when I hover over the link) like this:
<a href="saveJob('<%=id%>','<%=title%>','<%=a%>' + '\'' + '<%=b%>','<%=date%>')">Save job</a>
With a and b being the two split substrings but with no effect. I do notice that spaces are converted into %20, but that's little fort. Any other ideas?
- 2 Don't put your js events inline with your html. Refactor with some type of eventing model to add events from js. – BNL Commented Nov 29, 2011 at 19:42
-
.replaceAll("'", "\\\\'");got me what I needed in the short term. I am not sure which answer to accept as the "Accepted Answer", as I'm torn. Both answers were thoughtful and are viable. Thanks for letting me know there is a better way to do it. Looks like I have some reading to do. I will be looking into JSON objects either way, and am really curious about the phrase "abusing an HTML anchor as a trigger" and what the technical reason is for why doing this is a bad thing? – Dallas Commented Dec 1, 2011 at 14:27
3 Answers
Reset to default 6- Your JSP code is irrelevant. Decide what HTML you want to produce and produce it.
The following are all valid HTML markup:
<a href="saveJob('Bob\'s Question')"> … <a href="saveJob("Bob's Question")"> … <a href="saveJob('He said "Go Away"')"> … <a href='saveJob("He said \"Go Away\"")"> …… and the following are invalid:
<a href="saveJob('Bob's Question')"> <!-- JS string ends early --> <a href="saveJob("Bob's Question")"> <!-- HTML attribute ends early --> <a href="saveJob('Bob's Question')"> <!-- JS string ends early --> <a href="saveJob('He said "Go Away"')"> <!-- HTML attribute ends early -->You cannot use your HTML attribute delimiter in your attribute value except as an HTML entity. You cannot use your JavaScript string delimiter in your JavaScript string unless you escape it, even if you use an HTML entity to describe it.
In general, you should not be putting JavaScript in your HTML (you should attach event handlers to your markup programmatically, from script), and you especially shouldn't be abusing an HTML anchor as a JavaScript trigger (either use an HTML anchor to a valid URL and let JavaScript hijack the link if enabled, or use a
<button>or other element to invoke script-only side effects).
As you've noticed, such manual string escape tasks can be quite tricky; covering apostrophes won't even get you all the way: what if there's a newline in the string? That would break the script as well.
I would remend converting your data to a JSON object, perhaps using JSON-taglib. This should take care of all required escaping for you.
The Phrogz solution
<a href="saveJob("Bob's Question")">
works fine if you have only apostrophes in your text. If your text contains both apostrophes and quotes, you can use a hidden div (div with style='display:none;') for the text, pass the id of the div to saveJob instead of passing the text itself, and get the text inside saveJob by using
document.getElementById(myId).innerHTML