0

I'm trying to get data from php into my javascript. I'm using raw XMLHttpRequest. It works fine BUT I'm having a parser error when trying to return <a> links containing onclick event with argument. For instance :

In PHP I have :

echo "<a href='#' onclick=myfunction('$data')>$data</a><br>";

In Javascript I have

xhr.onreadystatechange = function(){

if(xhr.readyState == 4 && xhr.status == 200){
                    document.getElementById("some_id").innerHTML=xhr.responseText;
}

}

BUT the google chrome console shows this in the HTML of the element "some_id

<a href="#" onclick="myfunction('John" Doe')>John Doe</a>

Instead of having 'John Doe' we have 'John" Doe' . I have figured that the white space between the names is responsible for this (i.e. with no blanks, the result would be 'John Doe'

How can I correct that ? (as the double quote in the javascript close the click ie clicking is triggers an error)

Jason Krs
  • 704
  • 2
  • 9
  • 30
  • Not sure I understand the question, What is the expected result and what is the current? – Epodax Jul 13 '16 at 12:43
  • http://stackoverflow.com/questions/3752769/how-to-escape-double-quotes-in-title-attribute – epascarello Jul 13 '16 at 12:43
  • 1
    @Epodax the double quote inside of the JavaScript closed the click... OP wants to know how to fix it. – epascarello Jul 13 '16 at 12:44
  • 1
    Escape the quotes the php inserts and be sure they match once the page loads. Use string concatenation if you have to reuse quotes. Perfect example why inline event handlers are annoying. Alternatively, use a data-attribute instead of inserting the raw username directly into the inline handler. – Shilly Jul 13 '16 at 12:51
  • @Shilly I want what epascarello said – Jason Krs Jul 13 '16 at 12:52
  • 1
    Then you have your solution. – Shilly Jul 13 '16 at 12:53
  • @Shilly It's not that easy. The problem here is the **blank** space between John and Doe. That blank space is somewhat confusing the parsers. Escaping does not resolve the problem. I tried it before – Jason Krs Jul 13 '16 at 13:08
  • Hence in cases like this, I dont use an inline handler or if I do: `echo "$data
    "`. Various escape and concat techniques work here as well, but I'll leave it to you to find out which technique works best for your style of coding. If using $data elsewhere still produces the double quote inside the name, have a look at what $data contains in the php script.     – Shilly Jul 13 '16 at 13:48
  • @Shilly hmm ok... I'll keep that in mind. I'd appreciate if you could propose something according with the few code lines I have in my OP. Thanks mate – Jason Krs Jul 13 '16 at 13:57
  • Have you tried something like `echo ' – Shilly Jul 13 '16 at 14:03
  • @Shilly that will simply print `$data` ; $data is not considered a variable anymore but a string – Jason Krs Jul 13 '16 at 14:09
  • Even when the variable is outside the string it concats to? Then try reversing the logic: `echo "" . $data . "
    ";`     – Shilly Jul 13 '16 at 14:16

3 Answers3

0

Well, let's look at what that gets rendered as:

<a onclick=myfunction('John Doe')>

To the HTML parser that attribute onclick has the value myfunction('John, and then there's a second attribute Doe').

You need to ensure valid HTML syntax too:

<a onclick="myfunction('John Doe')">
           ^                      ^

In fact, you need to ensure valid Javascript syntax, and then ensure that Javascript code doesn't break HTML syntax:

printf('<a onclick="%s">', htmlspecialchars(sprintf('myfunction(%s)', json_encode($data))));
deceze
  • 510,633
  • 85
  • 743
  • 889
  • Kind of esoteric as an explanation (in my view). if it's not too much to ask, how would that apply to my code ? – Jason Krs Jul 13 '16 at 13:55
  • It would very directly apply to your code...!? You should replace your PHP `echo` with the `printf` version shown to ensure you're producing valid syntax, which should solve your problem. – deceze Jul 13 '16 at 14:15
  • hmm so this is what I wrote `printf('', htmlspecialchars(sprintf('myfunction(%s)', json_encode($data))));` but not only not a single error was raised BUT there is nothing printed on the page. It's all blank as if no code was runned – Jason Krs Jul 13 '16 at 19:22
  • OMG this is getting to serious for my skillz mate. I added `ini_set('display_errors', 1); error_reporting(~0);` in my php script but I still get the WSOD. Hmm unless u give me more details, I'm going to give up. Thanks for your help mate. – Jason Krs Jul 14 '16 at 10:12
-1

try : json_encode()

echo "<a href='#' onclick=myfunction('".json_encode($data)."')>$data</a><br>";
Martin S.
  • 256
  • 1
  • 10
-1

Ah yes. Then this might be right

echo "<a href='#' onclick=\"myfunction('".urlencode($data)."')\" >$data</a>
Martin S.
  • 256
  • 1
  • 10
  • Javascript syntax != URL encoding. Wrong escape/encoding mechanism for the wrong language. – deceze Jul 13 '16 at 14:33
  • Hi! Instead of posting two separate answers you can edit the first one to include any new details- – Epodax Jul 13 '16 at 17:53
  • Haha down know how but it fixed the problem by **replacing the blank space with a + sign**. So now I get `'John+Doe'`. Still it's not quite what I was looking for as it's altering the original data. Thanks for you help mate. – Jason Krs Jul 13 '16 at 19:16