SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Hybrid View

  1. #1
    SitePoint Member
    Join Date
    Jun 2006
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry user text with ' or ) damage the code

    Hello,

    i'm trying to build some Ajax form that a user can click on the text and he can change it directly. it worked fine, however the code get damaged when there is ' or ) in the text.

    problem 1: the code get damaged from the user text even after using the function escape()

    Code HTML4Strict:
    <h1 id="h1-23" onclick="return designTitle('hdr','h1-23','23')" style="font-size: large; text-align: center;"><span onmouseover="this.className = 'on'" onmouseout="this.className='off'">hdr</span></h1>

    Code JavaScript:
    function designTitle( dname , idname , designid )
    {
    	$(idname).innerHTML = "<form name=\"dtitlechange\" method=\"get\"><input type=\"text\" onFocus=\"this.select()\" name=\"desname\" value=\""+dname+"\" /><input type=\"button\" name=\"button\" value=\"chnage\" onclick=\"javascript:designTitleChange('"+designid+"',"+escape('dtitlechange.desname.value')+");\" /><input type=\"button\" name=\"button\" value=\"cancel\" onclick=\"javascript:cancelIT('"+idname+"','"+escape(dname)+"');\" />";
    }
    function cancelIT( idname , name  )
    {
    	$(idname).innerHTML = unescape(name);
    }
    function designTitleChange( designid , designname )
    {
    	var doit = new Ajax.Request( 'design.php' , {method: 'get' , parameters: 'action=changetitle&dtitle=' + designname + '&did=' + designid , onLoading: sayWait , onComplete: showresponse} );
    }

    problem 2: something strange happens to the input, you cannot select all the text easily. even when you click change the old text get back to the input ( however the action will be done successfully ). what i mean is, the form don't act normal.

    any one can help me please ?

    Thank you in advance

  2. #2
    SitePoint Member
    Join Date
    Jun 2006
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    any one can help me ?

  3. #3
    SitePoint Guru
    Join Date
    Sep 2006
    Posts
    731
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Al-Rehaili View Post
    +escape('dtitlechange.desname.value')+
    That passes a literal string to the escape function, not the value of the form input. In any case it's pointless because the function would not change that string and it doesn't do what you want.
    If I understand, you are using user input as a string parameter, but you don't know or restrict the characters typed. I'm not entirely certain if this will work, but as you're forming a literal string, I would try escaping all the characters. Note the single quotes around the output of the function, which you didn't have.

    Code:
    '"+dtitlechange.desname.value.replace(/(.)/g,'\\$1')+"'
    Tab-indentation is a crime against humanity.

  4. #4
    SitePoint Member
    Join Date
    Jun 2006
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok i will try that

    however, should i addslashes to the word before i pass it to the javascript if it contains ' ???

  5. #5
    SitePoint Guru
    Join Date
    Sep 2006
    Posts
    731
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Al-Rehaili View Post
    ok i will try that

    however, should i addslashes to the word before i pass it to the javascript if it contains ' ???
    No - this code should do that. It adds \ to all characters.
    Tab-indentation is a crime against humanity.

  6. #6
    SitePoint Member
    Join Date
    Jun 2006
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thank you very much


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •