I have one page iframed inside of another. The child page municates with the parent page by using the sendMessage() function. The parent page runs eval() on the message that is received from the child page.

This is the code that constructs the message:

 var msg_string = '$("body").append("<?php echo $content; ?>")';
 var send_string = "sendMessage(\'" + msg_string + "\', '<?php echo $receiver_domain; ?>')";
 setTimeout(send_string, <?php echo $delay; ?>);

The problem among other things is that the $content variable contains HTML and the double quotes in things like id="test" do not play well with all of this concatenation. I am at a loss trying to figure this out.

I have already attempted to escape the quotes in $content by converting them to " but that resulted in the browser placing div ids in double double quotes (""test"").

** Update **

Using the json_encode method does work for getting the data to the parent page. It's a much easier solution than what I had been doing (I had already acplished this much but figured something was amiss). That said, the eval of the data still fails if there are double quotes in a div id="test". A string of just "test" works, but it actually puts "test" verbatim. This is the javascript source in the html after using the json method:

 var msg_string = '$("body").append("<div class=\\\"test\\\">HEY WHATS UP<\/div>");';
 var send_string = "sendMessage(\'" + msg_string + "\', '')";
 setTimeout(send_string,500);

This fails at the eval. Putting an alert in place of the eval yields this:

 $("body").append("<div class="test">HEY WHATS UP</div>");

Any ideas?

** Update 2 **

So I FINALLY figured this out. It was a bination of the three answers below. The json answer tipped me off. Basically the double quotes needed to be tripple backslashed so that by the time it go to the eval, everything would be read properly.

I ran into a few other snags, including /r/n characters in the html...which I removed with str_replace and also an apostrophe...which was in an inner html element...I replaced that with the appropriate html entity and BAM!

Here is the code:

 function escapeQuotes(string){
   var quotes_regex = new RegExp("\"", "g");
   return string.replace(quotes_regex, "\\\"");
 }

 var msg_string = '$("body").append(<?php echo json_encode( str_replace("\r\n", '', $content) ); ?>);';
 var send_string = "sendMessage(\'" + escapeQuotes(msg_string) + "\', '<?php echo $receiver_domain; ?>')";
 setTimeout(send_string,<?php echo $delay; ?>);

I upvoted everyone's answer since I used bits of everything. Thank you so much!

I have one page iframed inside of another. The child page municates with the parent page by using the sendMessage() function. The parent page runs eval() on the message that is received from the child page.

This is the code that constructs the message:

 var msg_string = '$("body").append("<?php echo $content; ?>")';
 var send_string = "sendMessage(\'" + msg_string + "\', '<?php echo $receiver_domain; ?>')";
 setTimeout(send_string, <?php echo $delay; ?>);

The problem among other things is that the $content variable contains HTML and the double quotes in things like id="test" do not play well with all of this concatenation. I am at a loss trying to figure this out.

I have already attempted to escape the quotes in $content by converting them to " but that resulted in the browser placing div ids in double double quotes (""test"").

** Update **

Using the json_encode method does work for getting the data to the parent page. It's a much easier solution than what I had been doing (I had already acplished this much but figured something was amiss). That said, the eval of the data still fails if there are double quotes in a div id="test". A string of just "test" works, but it actually puts "test" verbatim. This is the javascript source in the html after using the json method:

 var msg_string = '$("body").append("<div class=\\\"test\\\">HEY WHATS UP<\/div>");';
 var send_string = "sendMessage(\'" + msg_string + "\', 'http://domain.')";
 setTimeout(send_string,500);

This fails at the eval. Putting an alert in place of the eval yields this:

 $("body").append("<div class="test">HEY WHATS UP</div>");

Any ideas?

** Update 2 **

So I FINALLY figured this out. It was a bination of the three answers below. The json answer tipped me off. Basically the double quotes needed to be tripple backslashed so that by the time it go to the eval, everything would be read properly.

I ran into a few other snags, including /r/n characters in the html...which I removed with str_replace and also an apostrophe...which was in an inner html element...I replaced that with the appropriate html entity and BAM!

Here is the code:

 function escapeQuotes(string){
   var quotes_regex = new RegExp("\"", "g");
   return string.replace(quotes_regex, "\\\"");
 }

 var msg_string = '$("body").append(<?php echo json_encode( str_replace("\r\n", '', $content) ); ?>);';
 var send_string = "sendMessage(\'" + escapeQuotes(msg_string) + "\', '<?php echo $receiver_domain; ?>')";
 setTimeout(send_string,<?php echo $delay; ?>);

I upvoted everyone's answer since I used bits of everything. Thank you so much!

• php
• javascript
• eval
• string-concatenation

• You could base64 encode it - it's ugly, but it'd work. – jimw Commented Apr 14, 2012 at 2:26
• Ahhhh, the (not so) good ol' days of PHP string mixing. I just converted a whole site from PHP to python and couldn't believe how many escape characters I ended up removing. – Evan Plaice Commented Apr 14, 2012 at 2:30

3 Answers 3

JSON is your friend.

var msg_string = '$("body").append(<?php echo json_encode($content); ?>)';

If your only concern is double quotes, why not just replace them with an escaped string?

var msg_string = '$("body").append("<?php echo str_replace("\"", "\\"", $content); ?>")';

I can't exactly test, but that would seem to work to me.

You need to escape using str_replace

$search  = array("'", '"');
$replace = array("\'", '\"');
var msg_string = '$("body").append("<?php echo str_replace(search, replace, $content; ?>")';