SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Zealot nicc9's Avatar
    Join Date
    Jan 2005
    Location
    New Orleans, LA
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question single quotes and '

    hi all.

    I'm having some problem trying to escape single quotes.

    basically, I got some text on the database. if text contains double or single quotes, these are replaced with &quot and &#039 respectively.

    I'm using PHP to alert a portion of the text, let's say "hello, y'all!", this way:

    PHP Code:
    <?php
    echo '<script type="text/javascript">';
    echo 
    "alert('hello, y&#039all!');";
    echo 
    '</script>';
    ?>
    well, the js code breaks, just as if '&#039' were converted to the 'single quote' character.

    how so?

    please help!

    thanks.

  2. #2
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need to use JavaScript escapes. The easiest way would be to replace double quotes with \" and single quotes with \'.

    Character entities and numeric character references should not be parsed inside a script element in HTML, since its content model is CDATA. In real XHTML they would, since the content model for script is then (#PCDATA).

    The problem with your approach is that if the reference is parsed, you end up with this:
    Code:
    alert('hello, y'all!');
    Entity references and NCRs are parsed by the HTML parser, not by the JavaScript parser, so the substitution will occur before the script code is executed.

    If the reference is not parsed you're still out of luck, since the JavaScript parser won't parse it for you either. Then you'll end up with an alert saying hello, y&#38;#039all.
    Birnam wood is come to Dunsinane

  3. #3
    SitePoint Zealot nicc9's Avatar
    Join Date
    Jan 2005
    Location
    New Orleans, LA
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks, AutisticCuckoo.

    so basically, what i see on the page (' or ") is what javascript sees, also?

    because if I look at the source code, I see the html entities in the source code....

  4. #4
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The source code contains entity references or NCRs (numeric character references). When the source code is parsed, those are transformed by the HTML parser into the corresponding character (a single quote in this case). So what's stored internally in the DOM tree is the single quote character.

    The content in the DOM node is what's passed to the JavaScript interpreter, so it sees the single quote character, not the NCR.

    If you were to echo the same thing into a paragraph instead of a script element, you would see a single quote on the page. Same difference.
    Birnam wood is come to Dunsinane

  5. #5
    SitePoint Member
    Join Date
    May 2006
    Location
    Berlin, Germany
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I guess the "real" solution is to use PHP's html_entity_decode() to convert the html entities, then use addslashes() to escape the single quotes:

    PHP Code:
    <?php
        
    echo '<script>';
        echo 
    "alert('" addslashes(html_entity_decode("hello, y&#039 ;all!"ENT_QUOTES)) . "');";
        echo 
    '</script>';
    ?>
    Last edited by jessephrenic; Dec 23, 2007 at 12:28. Reason: missing semicolon
    The Future of the Web - JavaScript, Ajax, CSS and anything else
    of interest to standards-loving web designers and developers.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •