-1

I want to have more than two layers of quotes.

This is for an error message using document.write and php’s echo function.

<img src="#" onerror="javascript:document.write('<?php echo("An error has occurred.") ?>')"

I expected it to replace the document with "An error has occurred," but it didn’t.

Rob
  • 14,746
  • 28
  • 47
  • 65
J. Smith
  • 27
  • 7
  • 1
    In modern JavaScript, you could use `\``, but you're really going about this wrong. You should *escape* any quotes so the string can be safely handled by the target language. – p.s.w.g May 24 '19 at 20:47
  • What language?! In PHP you have single quote, double quote, heredoc and nowdoc. https://www.php.net/manual/en/language.types.string.php – Andreas May 24 '19 at 20:52
  • View source or look at the F12 developer tools network tab to see what the server sent. i'd expect the PHP code to be replaced with the echo results, and that there is some other problem with your page scripting. If you need more help, please edit your question so it is a [mcve] – Dave S May 24 '19 at 21:07
  • PHP is processed server-side, but this `onerror` handler will be invoked client-side. Correct me if I'm wrong but wouldn't this also write the `` tags into the local document? – Romen May 24 '19 at 21:22
  • @Romen, No, the php is processed inline with the result of the html. In this case it evaluates too . – serverSentinel May 24 '19 at 21:29
  • @serverSentinel, Thanks for the correction. Seeing that nested inside so many quotes made me assume it wouldn't be processed for some reason. – Romen May 24 '19 at 21:42

1 Answers1

3

You shouldn't have javascript: as part of the onerror event.

wrap your statement in htmlentities with the ENT_QUOTE flag to handle embedded html and convert quotes to the appropriate escaped value. 

<img src="#" onerror="document.write('<?= htmlentities("An error has occurred.", ENT_QUOTE); ?>')">

Unless you're echoing a php method or variable it's unnecessary to even use php. 

<img src="#" onerror="document.write('An error has occurred')">
serverSentinel
  • 994
  • 6
  • 20