6

My Description contains an apstrophe('). How to escape it.

<a href='javascript:select("<%= pageBean.replace(list.getColumn(0), "'", "'") %>",
"<%= pageBean.replace(list.getColumn(1), "'", "'") %>");' title="<%=selRpt%>">
<span class='img-view'></span></a>

"<%= pageBean.replace(list.getColumn(1), "'", "'") %>" is the description part in my JSP Scriptlet which contains apstrophe(')

My HTML View

    <a href='javascript:select("JWCCA5",
"Worker's Compensation Form -  California Form 5020(New)");' 
title="Select Report"><span class='img-view'></span></a>
Kdeveloper
  • 13,679
  • 11
  • 41
  • 49
John
  • 1,191
  • 3
  • 19
  • 29

7 Answers7

6

Use \'

Inside a HTML tag, you need to turn the string into HTML entities, so the quote becomes &#039;

Inside pure JavaScript, you could also escape the quote with a \'

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • 1
    `"` is the way to go here, HTML doesn't allow backslash escaping. @John, replace "Worker's" with "Worker"s". – Andy E Oct 20 '10 at 11:04
  • @John you are not specifying the language you're using, but it almost certainly has an `addslashes` function of some sort to add backslashes, or a `htmlentities` one to convert all special characters into their entity equivalents. – Pekka Oct 20 '10 at 11:04
  • @Andy is correct, I overlooked that this is inside HTML code, so you need to look for the entities function in your language / framework – Pekka Oct 20 '10 at 11:05
6

For reserved HTML characters you should use HTML entities. An apostrophe is then reprecented as &#39;:

<a href='javascript:select(
  "<%= pageBean.replace(list.getColumn(0), "'", "&#39;") %>", 
  "<%= pageBean.replace(list.getColumn(1), "'", "&#39;") %>");' title="<%=selRpt%>"> 
<span class='img-view'></span></a>
Kdeveloper
  • 13,679
  • 11
  • 41
  • 49
2

Usually \' should work, but it seems that sometimes you need to use '' (double apostrophe).

Try this one:

<%= pageBean.replace(list.getColumn(0), "'", "\'" %>

or:

<%= pageBean.replace(list.getColumn(0), "'", "''"

One of them should work (from my experience).

For attributes within HTML tags, I would use " (quotation mark) rather than ' (apostrophe).

Paweł Dyda
  • 18,366
  • 7
  • 57
  • 79
  • It depends where your string is coming from. I assume that "Worker's Compensation form" will be placed in some properties eventually (at least it should, I wouldn't hardcode it), in such case you should escape it in properties file. Otherwise simply escape it as you code. – Paweł Dyda Oct 20 '10 at 11:28
1

Call a function from the HTML, and put your JavaScript in that function. It'll get around your problem, but I think it's slightly better practice anyways.

EMMERICH
  • 3,424
  • 2
  • 18
  • 14
1

Maybe you could use the unicode character code instead? (\u0027)

Curtis
  • 3,931
  • 1
  • 19
  • 26
  • I expect you could use it anywhere you've got an apostrophe that's not intended to be a delimiter. – Curtis Oct 20 '10 at 11:34
1

You have to replace the ' with #39; before it is rendered.
You can do it in
- the properties file from where this is coming from
- in code in ASP

BTW, what are you trying in this line?

"<%= pageBean.replace(list.getColumn(1), "'", "'") %>"

Perhaps

"<%= pageBean.replace(list.getColumn(1), "'", "&#39;") %>"

should do the work.

Nivas
  • 18,126
  • 4
  • 62
  • 76
1

A normal JSP developer would abandon old fashioned scriptlets and use JSTL c:out or fn:escapeXml instead. Both escapes predefined XML entities like ' to &#39; and so on.

Here's an example with fn:escapeXml:

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<a href="javascript:select('${fn:escapeXml(list.columns[0])}',
    '${fn:escapeXml(list.columns[1])}');" title="${title}">

You may only need to change the model to be more a fullworthy Javabean.

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555