60

In Javascript, when I put a backslash in some variables like:

var ttt = "aa ///\\\";
var ttt = "aa ///\";

Javascript shows an error.

If I try to restrict user in entering this character, I also get an error:

(("aaa ///\\\").indexOf('"') != -1)

Restricting backslashes from user input is not a good strategy, because you have to show an annoying message to the user.

Why am I getting an error with backslash?

Mosè Raguzzini
  • 15,399
  • 1
  • 31
  • 43
Imrul
  • 3,456
  • 5
  • 32
  • 27
  • scackoverflow strip my 1 slashe from everywhere, even in () there was 1 slash(\\). the real slash sequence is 3 slashes in a variable – Imrul Oct 11 '10 at 04:19
  • Where is the input string from? Is it from the browser itself (user entered) or from the back end (inserted by PHP/Perl/Ruby/etc..)? I ask because it looks like you're trying to use javascript to solve this which totally does not make sense. All strings coming from the user directly typed in the browser is already escaped so you shouldn't need to do any escaping. The only issue would be what is retrieved in the back end. – slebetman Oct 11 '10 at 04:41
  • yes, it's in user input from HTML input filed in Browser and manipulation is don't using javascript. I use ASP.NET(C#) in back end. There is no 'addslashes' function in ASP.NET. If this can be resolved in Server side then also it's ok for me. – Imrul Oct 11 '10 at 04:46
  • @Imrul, long story short, in client-side, you will *have* to read source code literally in `var ttt = "aa ///\\\\\\";`. Try to make that happen. If you use C#, why did you give us links to PHP? You should post your C# code. – livibetter Oct 11 '10 at 04:52
  • You can't solve this in javascript (because by then it's already a syntax error). Re-tag your question as ASP.NET and show us how you include the string in ASP. – slebetman Oct 11 '10 at 05:53
  • thanks all of you for your answer. I am going to Escape this using C# and let all of you know. Since you have told me that it is not possible in JavaScript. Then would you tell me why var ttt = document.getElementById('fillme').value; works if i put the same string in – Imrul Oct 11 '10 at 08:40
  • I don't think anyone told you that's impossible in JavaScript, it's just you have to write a correct JavaScript code. Escapi.. nevermind. The answer to the question you have now is HTML doesn't use that kind "backslash" of escaping but requires other kinds. It's not JavaScript. – livibetter Oct 11 '10 at 10:05
  • thanks for answer, but i am assigning it to "var ttt"(var ttt = document.getElementById('fillme')) which is javascript variable. Am I right? – Imrul Oct 11 '10 at 10:37

5 Answers5

128

The backslash (\) is an escape character in Javascript (along with a lot of other C-like languages). This means that when Javascript encounters a backslash, it tries to escape the following character. For instance, \n is a newline character (rather than a backslash followed by the letter n).

In order to output a literal backslash, you need to escape it. That means \\ will output a single backslash (and \\\\ will output two, and so on). The reason "aa ///\" doesn't work is because the backslash escapes the " (which will print a literal quote), and thus your string is not properly terminated. Similarly, "aa ///\\\" won't work, because the last backslash again escapes the quote.

Just remember, for each backslash you want to output, you need to give Javascript two.

Daniel Vandersluis
  • 91,582
  • 23
  • 169
  • 153
  • 3
    Great explanation. I give 1 up vote for this. But i didn't accept this because i didn't get the answer. The input is in User's hand and if the user try to input this kind of sequence then is it possible to overcome this. – Imrul Oct 11 '10 at 08:23
  • plus 1 for this explanation. – Gemark Almacen Feb 24 '23 at 08:23
13

You may want to try the following, which is more or less the standard way to escape user input:

function stringEscape(s) {
    return s ? s.replace(/\\/g,'\\\\').replace(/\n/g,'\\n').replace(/\t/g,'\\t').replace(/\v/g,'\\v').replace(/'/g,"\\'").replace(/"/g,'\\"').replace(/[\x00-\x1F\x80-\x9F]/g,hex) : s;
    function hex(c) { var v = '0'+c.charCodeAt(0).toString(16); return '\\x'+v.substr(v.length-2); }
}

This replaces all backslashes with an escaped backslash, and then proceeds to escape other non-printable characters to their escaped form. It also escapes single and double quotes, so you can use the output as a string constructor even in eval (which is a bad idea by itself, considering that you are using user input). But in any case, it should do the job you want.

Eric Leschinski
  • 146,994
  • 96
  • 417
  • 335
Roy Sharon
  • 3,488
  • 4
  • 24
  • 34
  • Please run this after you add your function in HTML HEAD. You will see the difference. – Imrul Oct 11 '10 at 08:14
  • @Imrul, not sure I understand. Writing a *script* using "aa ///\\\" is not the same as getting "aa ///\\\" as input from the user. In the former case, the triple backslash and the double quotes following them are interpreted as a single backslash followed by a double quotes. In the later case the input is interpreted verbatim, and contains the three backslashes. The stringEscape() function converts a user input into a string literal in script form. I thought that this is what you were trying to achieve, no? – Roy Sharon Oct 11 '10 at 08:59
5

The backslash \ is reserved for use as an escape character in Javascript.

To use a backslash literally you need to use two backslashes

\\
Talal Nabulsi
  • 389
  • 1
  • 5
  • 10
4

You have to escape each \ to be \\:

var ttt = "aa ///\\\\\\";

Updated: I think this question is not about the escape character in string at all. The asker doesn't seem to explain the problem correctly.

because you had to show a message to user that user can't give a name which has (\) character.

I think the scenario is like:

var user_input_name = document.getElementById('the_name').value;

Then the asker wants to check if user_input_name contains any [\]. If so, then alert the user.

If user enters [aa ///\] in HTML input box, then if you alert(user_input_name), you will see [aaa ///\]. You don't need to escape, i.e. replace [\] to be [\\] in JavaScript code. When you do escaping, that is because you are trying to make of a string which contain special characters in JavaScript source code. If you don't do it, it won't be parsed correct. Since you already get a string, you don't need to pass it into an escaping function. If you do so, I am guessing you are generating another JavaScript code from a JavaScript code, but it's not the case here.

I am guessing asker wants to simulate the input, so we can understand the problem. Unfortunately, asker doesn't understand JavaScript well. Therefore, a syntax error code being supplied to us:

var ttt = "aa ///\";

Hence, we assume the asker having problem with escaping.

If you want to simulate, you code must be valid at first place.

var ttt = "aa ///\\"; // <- This is correct
// var ttt = "aa ///\"; // <- This is not.

alert(ttt); // You will see [aa ///\] in dialog, which is what you expect, right?

Now, you only need to do is

var user_input_name = document.getElementById('the_name').value;
if (user_input_name.indexOf("\\") >= 0) { // There is a [\] in the string
  alert("\\ is not allowed to be used!"); // User reads [\ is not allowed to be used]
  do_something_else();
  }

Edit: I used [] to quote text to be shown, so it would be less confused than using "".

livibetter
  • 19,832
  • 3
  • 42
  • 42
  • please see this links http://javascript.about.com/library/bladdslash.htm & http://www.navioo.com/javascript/tutorials/Javascript_addslashes_1558.html they did the same thing but if i use var t = addslashes("aa ///\\\") then i got error!! – Imrul Oct 11 '10 at 04:40
  • Are you coding in PHP in server-side? Because `var t` doesn't seem like a PHP variable declaration. – livibetter Oct 11 '10 at 04:47
  • i am using javascript to solve this. I tried to use escape(string) and unescape(string). But these didn't work either – Imrul Oct 11 '10 at 04:59
  • Then, my answer already told you how to escape \ when you input a string in JS code. The `escape()` is not for that purpose. – livibetter Oct 11 '10 at 05:07
  • i got u'r answer. But that is not what i want. if your input is dynamic then how can you put an extra slash in your string. U need a function to do that. I used some function as i mentioned earlier, but i didn't got what i want. – Imrul Oct 11 '10 at 08:18
  • @Imrul I updated my answer, please see if it fits your problem. – livibetter Oct 11 '10 at 08:39
0

If you want to use special character in javascript variable value, Escape Character (\) is required.

Backslash in your example is special character, too.

So you should do something like this,

var ttt = "aa ///\\\\\\"; // --> ///\\\

or

var ttt = "aa ///\\"; // --> ///\

But Escape Character not require for user input.

When you press / in prompt box or input field then submit, that means single /.

diewland
  • 1,865
  • 5
  • 30
  • 41