使用JavaScript转义单引号

Question

I am aware with escaping special characters in HTML.

But, I am still asking this as I have come across a situation.

I have a JSP, in which I am not allowed put validation on input. Users are entering special characters to test.

Input string:

'#@$%

When I am displaying from database, I am using

<%= StringEscapeUtils.escapeHtml(map[i].get("text").toString())%>

where "map" is an array of Hashmap. This works fine.

The problem comes when I need to pass this string to JavaScript using

<input type="Button"
onclick="onEdit('<%= StringEscapeUtils.escapeHtml(map[i].get("text").toString())%>',
'<%= strShortCut%>','<%= map[i].get("uid")%>')" value="Edit">

The string becomes ''#@$%' .

How do I escape a single quote?

Answer 1

If you would be using Java, maybe you can do the below in Java.

import org.apache.commons.lang.StringEscapeUtils;
...

String result = StringEscapeUtils.escapeJavaScript(jsString);

Answer 2

Just prepend every single quote with a backslash. Like the following: StringEscapeUtils.escapeHtml(map[i].get("text").toString()).replace("\\'","\\\\'")

But your problem is not only in the single quote. There is also the double quote (") and the backslash itself (\\).

Use the same technique as shown before. You can also use regular expressions , but I showed you the simplest way.

To check the escape characters, look at the URL http://docs.oracle.com/javase/tutorial/java/data/characters.html .