Addslashes not escaping properly

Question

Not quite sure what I'm doing wrong. I have

$description = addslashes($description);
echo "<option onclick='updateTotals(`$urlOptions`,`$option_title`,`$description`)' value='".$description."' selected> ".$description."</option>";

An example of the text I'm trying to escape is

422458 - 120' Boom if NOZZLE BODIES is CR II single nozzle body

The source code shows the slashes added in, but the code isn't acknowledging the slash?

The back ticks seem to be working for options that don't have single or double quotes in their descriptions. — Nicole, Nov 10 '22 at 18:28
[`addslashes()`](https://www.php.net/manual/en/function.addslashes) was not designed to be used for HTML. Use [`htmlspecialchars()`](https://www.php.net/manual/en/function.htmlspecialchars.php) or [`htmlentities()`](https://www.php.net/manual/en/function.htmlentities.php) to encode properly any dynamic value that you use to generate HTML. Or, even better, use a good templating system (it handles the escaping for you). — axiac, Nov 10 '22 at 18:29
The backtick does not have any special meaning in HTML. It is a character like any other, no more special than `a` or `7`. — axiac, Nov 10 '22 at 18:30
Apparently it's a JS thing for "template literals" aka interpolated strings. However, you should not be using these unless you explicitly want interpolation and are handling your data safely, otherwise it's another code injection vector. — Sammitch, Nov 10 '22 at 18:30
If your purpose is to produce strings in a fragment of JavaScript code then you better use [`json_encode()`](https://www.php.net/manual/en/function.json-encode.php). — axiac, Nov 10 '22 at 18:31
[How do you pass in a PHP variable into an inline javascript function?](https://stackoverflow.com/q/19943367/2943403) and [escape all quotes and accents in php variable for javascript function](https://stackoverflow.com/q/56023393/2943403) and [How to send php variable onclick of button to javascript function as parameter](https://stackoverflow.com/q/44133675/2943403) and [Passing PHP Variable to Javascript Function (Specific code error)](https://stackoverflow.com/q/13426609/2943403) — mickmackusa, Nov 10 '22 at 19:23
[PHP - Echoing a string as a parameter in a JavaScript onclick function](https://stackoverflow.com/q/67596261/2943403) and [How do I use PHP to encode a string containing quotes to make it safe for inline 'onclick'?](https://stackoverflow.com/q/43631023/2943403) — mickmackusa, Nov 10 '22 at 19:30
[Send multiple PHP variables to javascript function](https://stackoverflow.com/q/64773984/2943403) — mickmackusa, Nov 10 '22 at 19:39
Ah, this (finally) looks like a good one: [Inserting a PHP variable in an HTML string being passed to JavaScript function via AJAX?](https://stackoverflow.com/q/36340680/2943403) — mickmackusa, Nov 10 '22 at 20:22

axiac · Answer 1 · 2022-11-10T18:49:15.707

1

If your purpose is to produce strings in a fragment of JavaScript code then you better use json_encode(). It escapes all characters that need to be escaped in JavaScript and also puts quotes around it producing a valid JavaScript string literal.

A short fragment of PHP code is better than any explanation:

// a list of characters, including quotes
$value = implode('', ['a', "'", 'b', '"', 'c', "\n", 'd', "\\", 'e']);

echo("const value = " . json_encode($value) . ";\n");

Its output is:

const value = "a'b\"c\nd\\e";

Check it online.

In fact, json_encode() is the best way to encode any data structure if your goal is to generate a fragment of JavaScript code.

edited Nov 10 '22 at 18:49

answered Nov 10 '22 at 18:40

axiac

68,258
9
99
134

It works for the double quotes, but I'm still having issues with the single quotes. – Nicole Nov 10 '22 at 18:49
It works with everything because it generates JSON and any JSON is a valid fragment of JavaScript. – axiac Nov 10 '22 at 18:51
Sorry, let me rephrase. I've added it in, the code is still having my original issue at the single quote in the 120' – Nicole Nov 10 '22 at 18:54
Oh, I see it now. You don't generate some JavaScript in a ` – axiac Nov 10 '22 at 19:08
The output for the first suggestion came out like ```value='"422458 - 120' Boom if NOZZLE BODIES is CR II single nozzle body"'``` – Nicole Nov 10 '22 at 19:14
The code in the answer generates JavaScript to be used in ` – axiac Nov 10 '22 at 20:07

José Carlos PHP · Answer 2 · 2022-11-10T22:59:11.767

$description can broke your option in several ways. I's better to define a function to be called onclick, but going further, it's better to trigger the function onchange the select.

Take a look to this example:

<?php

$description3 = '<p>This is a single quote: \'</p>'; //Escape ' with \

$myOptions = array(
    'val1' => array(
        'text' => 'Option 1',
        'url' => 'https://url1.com',
        'title' => 'This is Option 1',
        'description' => '<p>This is description for <b>Option 1</b>.</p>',
    ),
    'val2' => array(
        'text' => 'Option 2',
        'url' => 'https://url2.com',
        'title' => 'This is Option 2',
        'description' => '<p>This is description for <b>Option 2</b>.</p>',
    ),
    'val3' => array(
        'text' => 'Option 3',
        'url' => 'https://url3.com',
        'title' => 'This is Option 3',
        'description' => $description3, //No need to escape anything
    ),
);

?>
<script>
var myOptions = <?php echo json_encode($myOptions); ?>;

function mySelectChanged(value)
{
    //Call your original function
    updateTotals(myOptions[value].url, myOptions[value].title, myOptions[value].description);
}
</script>

<select id="mySelect" onchange="mySelectChanged(this.value);">
<?php
foreach ($myOptions as $value=>$option) {
    printf('<option value="%s">%s</option>', $value, $option['text']);
}
</select>

I will have to try this. Wouldn't the single quote in the description string mess up the array because it would end the description array value early? — Nicole, Nov 10 '22 at 19:03
@Nicole If description is in a variable, you don't need to escape single quote nor anything. But yes if you write a literal string, in that case, just use \. I edited my answer to show you both examples, look at `$description3` var. — José Carlos PHP, Nov 10 '22 at 22:56

Addslashes not escaping properly

2 Answers2