PHP echo of javascript for a new window script worked before and now doesn't - what've I missed?

Question

I have fiddled for ages with escaping special characters and not, and doing this and that. I've exhausted the best part of a couple of hours and I need a fresh pair of eyes! What am I doing wrong?

Updated.

        echo <<<EOT
<script type="text/javascript">
    $( document ).ready( function () {
        var w = window.open("{$address} result", "#", "width=800,height=600");
        var d = w.document.open();
        d.write("<!DOCTYPE html>
            <html>
                <head>
                    <title>{$address} result</title>
                    <link rel="stylesheet" href="css/base.css" type="text/css" />
                </head>
                <body>
                    <code>
                        Request method: {$request_method}
                        {$address}?{$qry_cfg}&amp;{$man_qry} 
                        $result
                    </code>
                </body>
            </html>");
        d.close();
    });
</script>
EOT;

I'm getting an Uncaught SyntaxError: Unexpected token ILLEGAL on line 15 which is where the d.write begins. This answer may help me but I'm having no luck thus far.

OUPUT:

        <script type="text/javascript">
    $( document ).ready( function () {
        var w = window.open("https://api.classmarker.com/v1/groups/recent_results.json result", "#", "width=800,height=600");
        var d = w.document.open();
        d.write("<!DOCTYPE html>
            <html>
                <head>
                    <title>https://api.classmarker.com/v1/groups/recent_results.json result</title>
                    <link rel="stylesheet" href="css/base.css" type="text/css" />
                </head>
                <body>
                    <code>
                        Request method: 0
                        https://api.classmarker.com/v1/groups/recent_results.json?api_key=d4tsE7SvEgzAKlJPFrlvAz3oe9uFQnxy&amp;signature=4495a14efc483aa5ee2f6d4cd480f968&amp;timestamp=1335783600&amp;finishedAfterTimestamp=1335783600&amp;= 
                        {"status":"error","request_path":"v1\/groups\/recent_results","server_timestamp":1415026084,"finished_after_timestamp_used":1413809284,"error":{"error_code":"timeStampOutOfRange","error_message":"Access denied. Timestamp issue. Recalculate the digital signature with each call. (There is a 5-minute window of time variance allowed.) Use seconds since the UNIX Epoch, not milliseconds. Make sure your server calling our service is in sync with an atomic clock."}}
                    </code>
                </body>
            </html>");
        d.close();
    });
</script>

Check your JS console (e.g. shift-ctrl-J in FF/Chrome). Look for syntax errors. And you should switch to using a [HEREDOC](http://php.net/heredoc) for this. Better to use a heredoc and NOT have to escape all those quotes. — Marc B, Nov 03 '14 at 14:20
May I ask why you're escaping everything, and not just use either single quotes, or close PHP, and reopen it where needed? Large parts of code tend to be unreadable when a lot is escaped. — Rik_S, Nov 03 '14 at 14:27
I would prefer not using echo, but ending PHP section and echoing only the dynamic parts directly into JS code. — Tomáš Blatný, Nov 03 '14 at 14:30
@Rik_S I'm just being a plonker. I have been switching my style around furiously. This is all part of learning best practises among other things for me. — Jonathan, Nov 03 '14 at 14:33

score 1 · Accepted Answer · answered Nov 03 '14 at 14:23

1

Syntax errors, due to incorrect escaping. From your generated JS:

d.write("
        ^---start of string
                    <!DOCTYPE html>
                    <html>
                        <head>
                            <title>https://api.classmarker.com/v1/groups/recent_results.json result</title>
                            <link rel="style[...snip...]
                                      ^---end of string

A trivial look at your browser's debug console would have told you this. Running around for 2+ hours, as you say you did, means you didn't look at the ONE thing that would immediately have told you about the problem.

Since you need your backslashes to get from PHP -> JS, you need to DOUBLE escape at the PHP level:

                    d.write(\"
                        <!DOCTYPE html>
                        <html>
                            <head>
                                <title>{$address} result</title>
                                <link rel=\\"sty
                                          ^^---note the doubled backslash.

answered Nov 03 '14 at 14:23

Marc B

356,200
43
426
500

1

Yes, but only for PHP. Consider an escape like gift wrap on a present. You wrapped your present (first backslashes) and presented it to PHP. PHP removes the wrapping, leave just the gift... That raw gift then gets sent out as JS. So you need two layers of wrap: one for PHP, one for JS. – Marc B Nov 03 '14 at 18:40
As far as I know my Chrome debugger simply kept telling me I had an invalid token on that line (`d.write`). I couldn't work out what would satisfy it as the quote itself wasn't the problem – Jonathan Nov 03 '14 at 21:40
yes, because the unquoted `"` inside the html were prematurely terminating your string, causing the html attribute values to "leak out" and be seen as JS code. e.g. `rel="stylesheet"` would have had `rel=` inside the string, and then `stylesheet` as some unknown/undefined JS variable. – Marc B Nov 03 '14 at 21:59
Thanks Marc, I know how escaping works and why it's necessary. I don't think this was the problem. As I said, (in previous revisions of my examples here) I believe I was escaping those quotes properly. What I was not doing was escaping the newlines at the end of each line. This was what threw me. I accepted your answer because you were technically correct in pointing me in the right direction, but not correct on what the actual error was. – Jonathan Nov 03 '14 at 22:15

score 0 · Answer 2 · answered Nov 03 '14 at 14:25

0

Not sure if it is the problem, but you escape your newline character

\\n

answered Nov 03 '14 at 14:25

JMc

355
1
6

It wasn't a problem before, in fact I solved previous problems by double escaping it. Len_D's answer looks like the solution, but thanks! – Jonathan Nov 03 '14 at 14:28

Jonathan · Answer 3 · 2014-11-03T21:38:09.310

Problem solved by using the following (verbose I know) code:

echo     "\n<script type='text/javascript'>
            $(document).ready( function () {
                var w = window.open('{$address} result', '#', 'width=800,height=600');
                var d = w.document.open();

                    d.write('<html>\
                        <head>\
                            <title>{$address} result</title>\
                            <link rel=\"stylesheet\" href=\"css/base.css\" type=\"text/css\" />\
                        </head>\
                        <body class=\"result\">\
                            <code>Request method: {$request_method}\\n{$address}\\n?{$qry_cfg}&amp;{$man_qry}\\n", htmlentities($result), "</code>\
                        </body>\
                    </html>');
                d.close();
            });
        </script>\n";

Not escaping the newlines may have been the crux of the problem. Funny because I knew this about JS and managed to overlook it here as it was working before in a different format.

PHP echo of javascript for a new window script worked before and now doesn't - what've I missed?

3 Answers3