stackoom
  简体   繁体   中英

impossible to escape single quotes in XML

 原文  2013-12-02 13:40:20       javascript/ php/ ajax/ xml/ escaping

Question

please help me with this issue. I have a php file which generates XML. I have the following code that I can not escape a JS script within XML as follows: 

$xml_after='<html>'.htmlspecialchars('    
<div class="options" id="options_'.$tables_row['id'].'">    
<a class="insidetable" href="" title="'.$lang['delete'].'" 
onClick="show_confirmation(\''.$messages['delete_table'].'\',\''.$lang['close'].'\',hide_element(\'confirmation\');\''.$lang['delete'].'\',remove_table(\''.$tables_row['id'].'\');hide_element(\'confirmation\');\');return false;\" ><img src="../images/interface/icons/delete.png" />    
</a></div>').'</html>';

The problem is in onclick functions.. Please help, full day losted already , thank you

2 answers

solution1
 0  2013-12-02 14:19:17

Be aware that htmlspecialchars() escapes < and > , too. You have to use it on each value separately, not on the complete html fragment.

htmlspecialchars() has an option that escapes all quotes. 

 var_dump(htmlspecialchars("Escaping: <>&'\"", ENT_QUOTES));

Ouptut: 

string(35) "Escaping: &lt;&gt;&amp;&#039;&quot;"

But it would be better to use DOM and let it take care of the escaping.

Additionally, I suggest using data-* attributes in HTML. The Javascript can read the attributes and bind the logic to the elements. This separates the actual JS logic from the HTML.

solution2
 0  2013-12-02 16:18:06

I think your code is incorrectly formatted 

$xml_after='<html>'.htmlspecialchars('<div class="options"
     id="options_'.$tables_row['id'].'">    

<a class="insidetable" href="" title="'.$lang['delete'].'" 
     onClick="
     show_confirmation(\''.$messages['delete_table'].'\',\''.$lang['close'].'
          \', hide_element(\'confirmation\');\''.$lang['delete'].'    
          \', remove_table(\''.$tables_row['id'].'\');
              hide_element(\'confirmation
          \');
      \');return false;\" > 

<img src="../images/interface/icons/delete.png" />    

</a></div>').'</html>';

after each of the functions inside the show_confirmation functions you have a ; which isn't valid in a function calls parameter list

On the last line of the onClick function: 

\');\');return false;\" >

The second \\' is unmatched and the double quote \\" shouldn't be escaped as far as I can see change that and maybe it will work for you.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Escape single quotes in title PHP trying to escape single quotes Escape single quotes in jQuery or JavaScript How to escape single quotes in JSP escape double quotes inside double quotes and single quotes Escape single quotes in Jquery AJAX request escape quotes and single quote together in javascript Escape single quotes inside script tag php How to escape double and single quotes in a JSON array How to escape a double quotes, inside a double quotes, inside a single quotes in PHP/Javascript?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM