0

I have something like in java

stringBuffer.append("<a onclick=\"javascript:setPName('"+StringEscapeUtils.escapeJavaScript(tmpResult)+"');\"><small> "+StringEscapeUtils.escapeJavaScript(tmpResult)+"</small></a>");

While checking the same on Console of Firebug it comes correctly. But I get the following when I check from IE developer tools:

<A onclick="javascript:setPName('TEST\" AKHIL?);?><SMALL>TEST\"AKHIL</SMALL></A>

Problem is that browser is not still recognizing it. I had used StringEscapeUtils.escapeJavaScript to escape single quotes but it does not work for double quotes.

Akhil K Nambiar
  • 3,835
  • 13
  • 47
  • 85
  • What is that `javascript:` doing? It is a pointless [label](https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Statements/label) as there is no loop to break or continue from. – Quentin Nov 01 '12 at 07:49
  • Check out [this][1] post. [1]: http://stackoverflow.com/questions/2004168/javascript-escape-quotes – Andries Nov 01 '12 at 07:51

2 Answers2

2

The problem is that you are using " characters in an HTML attribute value delimited with the same character. 

onclick="javascript:setPName('TEST\" <!-- attribute value ends here -->

The JavaScript is irrelevant.

You need to escape for HTML (&quot;) not JS.

You could avoid the problem entirely by writing unobtrusive JavaScript.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
0

Change ['] to ["], try and see. (Please remove "javascript:")

stringBuffer.append("<a onclick=\"setPName(\""+StringEscapeUtils.escapeJavaScript(tmpResult)+"\");\"><small> "+StringEscapeUtils.escapeHtml(tmpResult)+"</small></a>");

Or set the value into attribute (param).

stringBuffer.append("<a param=\""+StringEscapeUtils.escapeHtml(tmpResult)+"\" onclick=\"setPName(this.getAttribute('param'))\"><small> "+StringEscapeUtils.escapeHtml(tmpResult)+"</small></a>");
Danny Hong
  • 1,474
  • 13
  • 21
  • Then the onclick attribute will have the value `javascript:setPName(` which will make the problem worse! – Quentin Nov 01 '12 at 09:12