Safely pass string to javascript

Question

I am trying to pass a string from my java code to javascript like so:

myData.data = "${data.myString}";

This breaks if myString contains a "

I tried storing a javascript safe string instead, just replacing " with \" but then when I use myString in my jsp I get an ugly output with \" showing instead of "

What is the best way to safely pass a string and not mess up the rest of my output.

not a robust solution, but can you use single quotes instead? — Zach Lysobey, Feb 18 '13 at 20:58
did you try to use ' (single quote) instead of " (double quote). you maybe also need to escape this. — mr.VVoo, Feb 18 '13 at 20:58
single quotes causes the same problem, these are user submitted comments that can legitimately contain ' and " — Lumpy, Feb 18 '13 at 20:58
I know nothing about Java, but there must be some way of escaping the comments? — adeneo, Feb 18 '13 at 21:00
`` - http://publib.boulder.ibm.com/infocenter/wchelp/v5r6/index.jsp?topic=/com.ibm.commerce.developer.doc/refs/rsdjspbpescapexml.htm — Ian, Feb 18 '13 at 21:04
using $quot; works. Thanks! are there any other characters I should be worried about? — Lumpy, Feb 18 '13 at 21:04
there is a list here http://www.utexas.edu/learn/html/spchar.html — orangegoat, Feb 18 '13 at 21:11
@orangegoat is there a method that does all of those changes for me? — Lumpy, Feb 18 '13 at 21:40
@Lumpy take a look at http://commons.apache.org/lang/api-2.4/org/apache/commons/lang/StringEscapeUtils.html — orangegoat, Feb 18 '13 at 21:50

score 1 · Answer 1 · edited May 23 '17 at 10:24

1

Encode it into the html in the JSP:

<input id="test_hide" type="hidden" value="${URIUtil.encodeAll("http://www.google.com?q=a b","UTF-8")}">

Then in the JavaScript:

 myData.data = decodeURIComponent(document.getElementById('test_hide').getAttribute('value'));

Java - Convert String to valid URI object

edited May 23 '17 at 10:24

Community

1
1

answered Feb 18 '13 at 21:08

Justin Thomas

5,680
3
38
63

Yeah I had that originally. My use of URLEncoder is fuzzy :) Thanks – Justin Thomas Feb 18 '13 at 21:24

score 0 · Accepted Answer · edited Feb 18 '13 at 21:25

0

Replacing the double quotes with " should work

edited Feb 18 '13 at 21:25

Zach Lysobey

14,959
20
95
149

answered Feb 18 '13 at 21:15

orangegoat

2,523
1
15
17

score 0 · Answer 3 · answered Mar 06 '13 at 10:17

A bad solution :

Check if your string has double quotes, if yes then use

myData.data = '${data.myString}';

if it contains single quotes use

myData.data = "${data.myString}";

This will explode if you have both single and double quotes.

A good solution :

Just use

&quot;

Safely pass string to javascript

3 Answers3