I’m outputting values from a database (it isn’t really open to public entry, but it is open to entry by a user at the company — meaning, I’m not worried about XSS.)
I’m trying to output a tag like this:
DESCRIPTION is actually a value from the database that is something like this:
Prelim Assess “Mini” Report
I must bemissing the obvious answer, but for the life of me I can’t figure it out.
Anyone care to point out my idiocy?
Here is the entire HTML page (it will be an ASP.NET page eventually, but in order to solve this I took out everything else but the problem code)
You need to escape the string you are writing out into
DoEdit to scrub out the double-quote characters. They are causing the
onclick HTML attribute to close prematurely.
\, isn’t sufficient in the HTML context. You need to replace the double-quote with the proper XML entity representation,
" would work in this particular case, as suggested before me, because of the HTML context.
So your onclick would become:
DoEdit('Preliminary Assessment \x22Mini\x22');
alert() is an easy test method for this).
<html> <body> <a href="#" onclick="DoEdit('Preliminary Assessment "Mini"'); return false;">edit</a> </body> </html>
Should do the trick.
Folks, there is already the
The problem is that HTML doesn’t recognize the escape character. You could work around that by using the single quotes for the HTML attribute and the double quotes for the onclick.
<a href="#" onclick='DoEdit("Preliminary Assessment \"Mini\""); return false;'>edit</a>
This is how I do it, basically
var display = document.getElementById('output'); var str = 'class="whatever-foo__input" id="node-key"'; display.innerHTML = str.replace(/[\""]/g, '\\"'); //will return class=\"whatever-foo__input\" id=\"node-key\"