0

I have to call the following javascript function

function changeExampleField(firstValue, changeId, field, wordToChange)
{
 var exampleTxtElem = document.getElementById(changeId);
 var newTxt = field.value;
 exampleTxtElem.innerHTML = firstValue.replace(wordToChange, newTxt);
}

The problem at this is, I get the value of "firstValue" from the database, it is a String and it can contain single quotes. For example:

I get a value from the database which operates

<input class="" type="text" name="text_label.test_virus_connection" value="test" size="50" maxlength="50" id="a_text_label.test_virus_connection"   onkeyup="changeExampleField('Verbindung testen', 'example_label.test_virus_connection', this, 'test')"  onFocus="dispHelp('')">

But i can get values from the database which dont operates

<input class="" type="text" name="text_pass_sprachtest.label.execute.successfull" value="test" size="50" maxlength="50" id="a_text_pass_sprachtest.label.execute.successfull"   onkeyup="changeExampleField('Bewerbung(en) erfolgreich auf 'Sprachtest(s) bestanden' gesetzt!', 'example_pass_sprachtest.label.execute.successfull', this, 'test')"  onFocus="dispHelp('')">

My question is: is there a different way to call the function (for example with properties or so)? Or a different way to solve this problem?

user2960190
  • 180
  • 1
  • 4
  • 16
  • The easiest solution would be to use backslashes. So instead of `'`, you should use `\'` - but only for single quotes inside single quotes. – alesc Jun 11 '15 at 07:49
  • Those are single quotes, not tick marks. And the solution here is to escape your data properly before using it in HTML. This is necessary both to make the data usable and to prevent a reflected XSS attack. – elixenide Jun 11 '15 at 07:52
  • 2
    Read this thread: [Single quote scape][1] [1]: http://stackoverflow.com/questions/8744315/single-quote-escape-in-javascript-function-parameters – Mariano Montañez Ureta Jun 11 '15 at 08:02
  • I don't get it. Would you please explain what you are doing? Give an example; what is id="text_label.test_virus_connection" and what do you want to happen to it?. There is a solution to the problem of the single quotes (= escaping with \ ), but the real problem is deeper. You should not do it this way. There is too much mixing of script and style with your HTML. And you could use names that are less confusing. – Emmanuel Delay Jun 11 '15 at 08:53
  • @EmmanuelDelay. I am building a html-page with java on server-side. The values (for example "text_label.test_virus_connection") are entries of the database. I havent got any problem with those, i have got only promblems with the value of firstValue, for example is one of the database-entry = "Bewerbung(en) erfolgreich auf 'Sprachtest(s) bestanden' gesetzt!". It dont work, because the entry has got single quotes inside. I used to solve the problem with backslashes, but that dont work too. – user2960190 Jun 11 '15 at 10:24

1 Answers1

0

You should do either of this

replace outer single quotes with double quote

"Bewerbung(en) erfolgreich auf 'Sprachtest(s) bestanden' gesetzt!"

or escape the single quotes in middle

'Bewerbung(en) erfolgreich auf \'Sprachtest(s) bestanden\' gesetzt!'

if you do not do ths either way then its not considered as string

Asheesh Kumar
  • 161
  • 4