Proper way to escape a string

Question

I have created "edit comment" button in javascript for a website. Actually everything works fine but the string escapes do not work. I just tried to put into the edit input something like

 <script> alert(user->id); </script>

And it shows the alert !

I tried to do some long escapes like these below but they do not change anything, the alert still appears:

 newComment.replace("'","\'");
 newComment.replace("\"","\\\"");
 newComment.replace("(","\(");
 newComment.replace(")","\)");
 newComment.replace("<","\<");
 newComment.replace(">","\>");
 newComment.replace(";","\;");

I have also tried to use encodeURI , but it shows insantly the encoded comment which do not look good at all...

So what is the proper way to escape the strings now? I am reading dozens of similar topics but I don't get this at all...

Answer 1

but they do not change anything

newComment.replace("'","\'");

you're doing nothing with the result of the function. instead, do this

newComment = newComment.replace("'","\'");

also, you can chain the replace functions together, but make sure you do something with the result, like assign it to a variable, otherwise you're effectively doing nothing

newComment = newComment.replace("'","\'").replace(...).replace(...);

Answer 2

Escaping characters in a string is meant to be used when you have to code that character in the source of the application. It tells the interpreter/compiler that it's not supposed to treat that character like a normal one and not one that is supposed to abide by the syntax rules of the language. For example:

//the JavaScript engine will interpret this as an error and not execute the code.

var newComment = 'test'';

//this does:

var newComment = 'test\'';

the \\ tells the engine "hey don't use this to close the string, treat it as part of one." With the user entering in text at runtime, the engine already knows that it's not supposed to be interpreted as source, but as a runtime value, so there is no need to escape it in that scenario.

a note about this code:

 newComment.replace("'","\'");
 newComment.replace("\"","\\\"");
 newComment.replace("(","\(");
 newComment.replace(")","\)");
 newComment.replace("<","\<");
 newComment.replace(">","\>");
 newComment.replace(";","\;");

1. Strings are immutable in JavaScript, so newComment won't ever change. you have to change and assign like newComment = newComment.replace('','');
2. Each time you use the replace function it creates a new string, because strings are immutable. You have to be careful of this, because depending on the scenario, that can create a lot of overhead.

Answer 3

JavaScript strings are immutable. So you have to save it to a variable after you call replace.

at the moment you are just calling the replace function but nothing is being saved.

Here is a quick jsfiddle to help explain: https://jsfiddle.net/s13rboe5/

 var a = "aaa" var b = "bbb" a.replace('a', 'b'); b = b.replace('b', 'a'); alert(a); alert(b); 

also here is a link to help you understand immutability in javascript.