3

I have a form on my site that runs some basic JS validation when the user clicks submit, before the form is submitted, but I am getting an error 'unterminated string literal' when checking some of the fields.

I understand what this error is (users adding line breaks in a textarea in this case) but I cannot think of a way of avoiding/fixing it.

Here is how I declare the form -

<form id="<?php echo $form_name; ?>" 
      name="<?php echo $form_name; ?>" 
      class="standard-form" 
      method="POST" action="" 
      onsubmit="return validate_form('<?php echo $form_name; ?>')">

And here is how I am checking the field that is causing me trouble -

var your_query = document.forms['enquiry']['your_query'].value
if(your_query === ''){
    result = false;
}

Any help here would be appriciated.

Thanks.

Jamiec
  • 133,658
  • 13
  • 134
  • 193
David Gard
  • 11,225
  • 36
  • 115
  • 227
  • An unterminated string literal is usually caused by an unescaped value being used in a JavaScript expression, but there aren't any in the code you posted (unless you have a crazy form name)--are you sure you posted where the error is happening? – Dave Newton Oct 05 '11 at 13:23
  • The error in this case is because users are sometimes putting newlines in the 'your_query' filed, which is a textarea. You are right that though that the error is being generated a little later in the process than I first thought, at a time where I am making an object to pass to an AJAX page - writing a vaule through PHP that has line breaks is actually what is causing this, not the simple presence of line breaks. – David Gard Oct 05 '11 at 13:32
  • @Dave Newton - Is not `return validate_form('')` an unescaped value being used in a JavaScript expression? – Richard JP Le Guen Oct 05 '11 at 13:41
  • 1
    @RichardJPLeGuen "[...] unless you have a crazy form name [...]" – Dave Newton Oct 05 '11 at 13:44
  • @RichardJPLeGuen Also, OP stated that the issue was happening on form submission, whereas a single quote in the form name would cause an error on initial render, or before form field validation began. Hence my question regarding whether or not the error was happening later (which was correct) rather than guessing an answer before enough info was known. – Dave Newton Oct 05 '11 at 13:45
  • @Dave Newton - My bad; didn't read that part of your comment... but `return validate_form('')` is in the `onsubmit` attribute, so I think it fits with the form submission problem. – Richard JP Le Guen Oct 05 '11 at 13:50
  • @RichardJPLeGuen Not really, because it was specific fields causing the issue. If the form name had contained a single quote the error would have happened when making the JS call, not at an arbitrary point within the call. – Dave Newton Oct 05 '11 at 13:51
  • @Richards answer seems logical. If that doesn't work for you, this SO post contains lots of things to check for: http://stackoverflow.com/questions/227552/common-sources-of-unterminated-string-literal. – James Hill Oct 05 '11 at 13:24

1 Answers1

4

My guess is $form_name contains a single quote character: '

First, you should really escape that output with htmlentities and json_encode:

<form id="<?php echo htmlentities($form_name); ?>"
      name="<?php echo htmlentities($form_name); ?>"
      class="standard-form"
      method="POST"
      action=""
      onsubmit="return validate_form(<?php echo htmlentities(json_encode($form_name)); ?>)">

See also Pass a PHP string to a Javascript variable (including escaping newlines)

Next, don't use that onsubmit intrinsic event attribute and don't pass the form name to it; use proper DOM scripting (or jQuery) and event handling in your JavaScript file:

(function() {
    var form = document.getElementById("<?php echo json_encode($form_name); ?>");
    form.addEventListener('submit', onSubmit, false);

    function onSubmit() {
        // manipulate variable `form` as necessary
        // without having to pass around a `form_name`
    }
}());
Community
  • 1
  • 1
Richard JP Le Guen
  • 28,364
  • 7
  • 89
  • 119
  • Had to make a correction; `json_encode` doesn't need quotes around it in the JavaScript – Richard JP Le Guen Oct 05 '11 at 13:28
  • Thanks for the suggestions. I'll take on board what you said about not using onSumbit() (probably not today though!), but in the mean time 'json_encode()' is getting me past the original error (thanks), but now we're back on the PHP side of things all of my values are wrapped (/"{value}/"), and 'json_decode()' isn't returning that as I thought it would. Any suggestions there at all? – David Gard Oct 05 '11 at 13:47
  • @Daveid Gard - I don't follow what you mean, on the PHP side of things. – Richard JP Le Guen Oct 05 '11 at 13:49
  • I'm using AJAX and the error was occuring when I was using PHP to output in JS ('json_encode()' solved that), so then an object is passed and populates '$_POST', but all of the values in '$_POST' are now json encoded and cause errors in PHP. – David Gard Oct 05 '11 at 14:07
  • [`json_decode`](http://php.net/manual/en/function.json-decode.php) them maybe? ;) – Richard JP Le Guen Oct 05 '11 at 14:12
  • `stripslashes()` is getting rid of the slashes (as you'd hope!), but sadly `json_decode()` is not playing ball. In fact, I've just run `stripslashes()` and then `json_decode()` one after the other and `json_decode()` is actually butting the slashes back on! :( – David Gard Oct 05 '11 at 14:16
  • @David Gard - Whoa! Not sure what the deal is, but it looks like this is enough to merit a new question :P – Richard JP Le Guen Oct 05 '11 at 14:23
  • Well I've made some changes to the code for now to get the form working - Basically all I've lost is the loading icon at the moment, so I've just gotta hope that users are patient and don't repeatidly click 'send' while I'm updating the code properly. Thanks for your help. – David Gard Oct 05 '11 at 15:46