1

I am trying to pass a string into a javascript from PHP but am failing miserably. From testing I can see its the whitespace that is making my test fail. How do I encode to pass to javascript properly I tried %20 and a few more nothing seems to work.

Full Source

  <script async  src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script type="text/javascript">

function DemoOne(text) {
 $('#PageView').load('test.php?text=' + text);
}
</script>


<?php
$message="hello";

echo "  <a href=\"javascript:DemoOne('$message');\" ><input class='btn' type='button' value='Test'></a>     
<div id='PageView'></div>";

?>

Test Output test.php

<?php
echo $_GET['text'];
?>

FOLLOW UP

Adding the code below still fails it seems only removing spaces will allow this above example to work.

a href=\"javascript:DemoOne(".htmlspecialchars(json_encode($message)).");\" ><input type='button' value='Submit'></a>   
<div id='PageView'></div>
Clive Atkins
  • 545
  • 4
  • 21
  • 1
    Possible duplicate of [Pass a PHP string to a JavaScript variable (and escape newlines)](http://stackoverflow.com/questions/168214/pass-a-php-string-to-a-javascript-variable-and-escape-newlines) – Matt Lo Apr 05 '16 at 23:46

1 Answers1

2

It's got nothing to do with spaces. And you haven't given us the full code. I'm guessing that HTML is inside an echo? If so, you need to do this:

echo "<a href=\"javascript:DemoOne(".htmlspecialchars(json_encode($message)).");\" ><input type='button' value='Submit'></a>   
<div id='PageView'></div>";

i.e. json_encode any data that your pass to JavaScript. You also need to escape it for HTML since it's in an attribute as opposed to a <script> tag.

You also need to escape the query param for the URL.

I amended your code to fix the encoding issues:

  <script async  src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script type="text/javascript">

function DemoOne(text) {
 $('#PageView').load('test.php?text=' + encodeURIComponent(text));
}
</script>


<?php
$message="hello";

echo "  <a href=\"javascript:DemoOne(".htmlspecialchars(json_encode($message)).");\" ><input class='btn' type='button' value='Test'></a>     
<div id='PageView'></div>";

Alternatively, let jQuery do the escaping:

function DemoOne(text) {
 $('#PageView').load('test.php', {text:text});
}
mpen
  • 272,448
  • 266
  • 850
  • 1,236
  • Thanks for the help I amended above to add full source code it still fails however. If I make the $message ="hello" (no spaces will work fine) any other ideas where I am going wrong? – Clive Atkins Apr 06 '16 at 00:24
  • @CliveAtkins That's not the full code. How are you outputting that HTML? Paste the entire .php file if you're not sure. – mpen Apr 06 '16 at 03:27
  • @CliveAtkins Ah...okay, you also need to escape the URL param. You can do that in JS with [encodeURIComponent](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent). I added a full example to my answer. – mpen Apr 06 '16 at 04:36