Escape quotes in JavaScript

Asked 5/1, 2010 at 4:30 Answered 12/2, 2024 at 14:44

256

I'm outputting values from a database (it isn't really open to public entry, but it is open to entry by a user at the company -- meaning, I'm not worried about XSS).

I'm trying to output a tag like this:

<a href="" onclick="DoEdit('DESCRIPTION');">Click Me</a>

DESCRIPTION is actually a value from the database that is something like this:

Prelim Assess "Mini" Report

I've tried replacing " with \", but no matter what I try, Firefox keeps chopping off my JavaScript call after the space after the word Assess, and it is causing all sorts of issues.

I must bemissing the obvious answer, but for the life of me I can't figure it out.

Anyone care to point out my idiocy?

Here is the entire HTML page (it will be an ASP.NET page eventually, but in order to solve this I took out everything else but the problem code)

<html>
    <body>
        <a href="#" onclick="DoEdit('Preliminary Assessment \"Mini\"'); return false;">edit</a>
    </body>
</html>

Argueta answered 5/1, 2010 at 4:30 Comment(3)

It's a good idea to make your onclick event attachment unobtrusive and to move all of your database information into a data island. Things will be cleaner and you'll actually get some sort of syntax error when your strings are escaped wrong. – Johen 5/1, 2010 at 4:40

Possible duplicate of How do I escape a string inside JavaScript code inside an onClick handler?. – Creativity 4/5, 2015 at 17:19

You can also use escape("string") and unescape("string") jquery methods – Satisfactory 4/4, 2019 at 16:31

242

You need to escape the string you are writing out into DoEdit to scrub out the double-quote characters. They are causing the onclick HTML attribute to close prematurely.

Using the JavaScript escape character, \, isn't sufficient in the HTML context. You need to replace the double-quote with the proper XML entity representation, ".

Vogele answered 5/1, 2010 at 4:34 Comment(9)

Right, but wouldn't that be this? <a href="#" onclick="DoEdit('Preliminary Assessment \"Mini\"'); return false;">edit</a> I tried that, and it is still screwing up. This has got to be a simple WTF but for the life of me, I can't see it. – Argueta 5/1, 2010 at 4:35

Is there any built-in JavaScript function that would escape the double quotes ? Apart from 'quo"'.replace('"', '"') I can't find anything. – Towrope 18/8, 2010 at 14:39

It's not a javascript issue, it's an HTML/XML encoding issue: you can't have double-quote characters inside an attributes value w/o escaping them... otherwise browsers/parsers think you're ending the attribute value declaration. – Vogele 21/8, 2010 at 7:9

example replacement code: 'mystring'.replace(/"/g, '"'); – Eurydice 28/3, 2013 at 22:53

in the previous comment there is an extra quote. The code that works is 'mystring'.replace(/'/g, '"'); – Spanker 13/1, 2014 at 15:35

I know this is an old question, but why not simply use encodeURIComponent() / decodeURIComponent() -- to my knowledge they do exactly what you want and have been around since Armstrong walked on the moon or thereabouts i.e. all browsers support it. – Frogfish 11/8, 2016 at 17:36

@Adergaard, nope. Those are for a third escape scheme used by HTTP in URLs. encodeURIComponent('"') == '%22' (URI includes URL). – Fiske 17/9, 2016 at 2:13

@BobStein-VisiBone Well, in my usecase it works perfectly. I have data-attributes that need to contain user generated text and when using my suggestion it works like a charm from mandarine chinese to danish with all 14 excalmation points used. – Frogfish 20/9, 2016 at 7:32

@AgustinLopez I don't see an extra quote in Joshua Burns' answer - just a double quote instead of a single quote. – Hittel 25/10, 2017 at 16:29

116

" would work in this particular case, as suggested before me, because of the HTML context.

However, if you want your JavaScript code to be independently escaped for any context, you could opt for the native JavaScript encoding:
' becomes \x27
" becomes \x22

So your onclick would become:
DoEdit('Preliminary Assessment \x22Mini\x22');

This would work for example also when passing a JavaScript string as a parameter to another JavaScript method (alert() is an easy test method for this).

I am referring you to the duplicate Stack Overflow question, How do I escape a string inside JavaScript code inside an onClick handler?.

Dulcinea answered 18/9, 2012 at 8:58 Comment(5)

Thank you! Yours is the more correct answer because it is native JavaScript regardless of context. – Woody 30/7, 2013 at 5:51

This is the correct answer, although in an HTML context using " will, of course, work. – Anent 11/3, 2014 at 12:5

Note that " is required in input values, i.e., <input value="\x22quoted string\x22"> will not work. – Manipur 31/3, 2018 at 6:26

@10basetom naturally, JavaScript escaping only works in a JavaScript context, like event handlers (onclick="..."). The value of a value attribute is not being processed within a JavaScript context, only within an HTML context. – Dulcinea 11/4, 2018 at 13:58

replacement code: 'mystring'.replace(/"/g, '\\x22').replace(/'/g, '\\x27') – Pester 1/5, 2018 at 16:33

<html>
    <body>
        <a href="#" onclick="DoEdit('Preliminary Assessment &quot;Mini&quot;'); return false;">edit</a>
    </body>
</html>

Should do the trick.

Devil answered 5/1, 2010 at 5:27 Comment(0)

Folks, there is already the unescape function in JavaScript which does the unescaping for \":

<script type="text/javascript">
    var str="this is \"good\"";
    document.write(unescape(str))
</script>

Digger answered 25/7, 2011 at 17:32 Comment(2)

A combination of "escape"/"unescape" did what I needed. Thanks. – Kiva 6/1, 2012 at 4:53

escape/unescape are deprecated. although encodeURI does more than just quotes. gotochriswest.com/blog/2011/05/23/escape-unescape-deprecated – Hermaherman 21/11, 2012 at 2:15

This is how I do it, basically str.replace(/[\""]/g, '\\"').

var display = document.getElementById('output');
var str = 'class="whatever-foo__input" id="node-key"';
display.innerHTML = str.replace(/[\""]/g, '\\"');

//will return class=\"whatever-foo__input\" id=\"node-key\"

<span id="output"></span>

Vehicular answered 31/5, 2016 at 0:8 Comment(0)

The problem is that HTML doesn't recognize the escape character. You could work around that by using the single quotes for the HTML attribute and the double quotes for the onclick.

<a href="#" onclick='DoEdit("Preliminary Assessment \"Mini\""); return false;'>edit</a>

Denten answered 5/1, 2010 at 4:44 Comment(1)

Yikes. I was wondering why I naturally resorted to using ' for the attribute in the past. I just never delved into it all that deeply. Thanks. – Argueta 5/1, 2010 at 5:15

If you're assembling the HTML in Java, you can use this nice utility class from Apache commons-lang to do all the escaping correctly:

org.apache.commons.lang.StringEscapeUtils
Escapes and unescapes Strings for Java, Java Script, HTML, XML, and SQL.

Velazquez answered 4/1, 2012 at 11:22 Comment(1)

I use org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript(text) to construct methodExpression in Java. Thanks. – Fibrin 17/5, 2017 at 4:23

Please find in the below code which escapes the single quotes as part of the entered string using a regular expression. It validates if the user-entered string is comma-separated and at the same time it even escapes any single quote(s) entered as part of the string.

In order to escape single quotes, just enter a backward slash followed by a single quote like: \’ as part of the string. I used jQuery validator for this example, and you can use as per your convenience.

Valid String Examples:

'Hello'

'Hello', 'World'

'Hello','World'

'Hello','World',' '

'It\'s my world', 'Can\'t enjoy this without me.', 'Welcome, Guest'

HTML:

<tr>
    <td>
        <label class="control-label">
            String Field:
        </label>
        <div class="inner-addon right-addon">
            <input type="text" id="stringField"
                   name="stringField"
                   class="form-control"
                   autocomplete="off"
                   data-rule-required="true"
                   data-msg-required="Cannot be blank."
                   data-rule-commaSeparatedText="true"
                   data-msg-commaSeparatedText="Invalid comma separated value(s).">
        </div>
    </td>

JavaScript:

     /**
 *
 * @param {type} param1
 * @param {type} param2
 * @param {type} param3
 */
jQuery.validator.addMethod('commaSeparatedText', function(value, element) {

    if (value.length === 0) {
        return true;
    }
    var expression = new RegExp("^((')([^\'\\\\]*(?:\\\\.[^\'\\\\])*)[\\w\\s,\\.\\-_\\[\\]\\)\\(]+([^\'\\\\]*(?:\\\\.[^\'\\\\])*)('))(((,)|(,\\s))(')([^\'\\\\]*(?:\\\\.[^\'\\\\])*)[\\w\\s,\\.\\-_\\[\\]\\)\\(]+([^\'\\\\]*(?:\\\\.[^\'\\\\])*)('))*$");
    return expression.test(value);
}, 'Invalid comma separated string values.');

Hallucinosis answered 3/4, 2017 at 15:7 Comment(0)

You can copy those two functions (listed below), and use them to escape/unescape all quotes and special characters. You don't have to use jQuery or any other library for this.

function escape(s) {
    return ('' + s)
        .replace(/\\/g, '\\\\')
        .replace(/\t/g, '\\t')
        .replace(/\n/g, '\\n')
        .replace(/\u00A0/g, '\\u00A0')
        .replace(/&/g, '\\x26')
        .replace(/'/g, '\\x27')
        .replace(/"/g, '\\x22')
        .replace(/</g, '\\x3C')
        .replace(/>/g, '\\x3E');
}

function unescape(s) {
    s = ('' + s)
       .replace(/\\x3E/g, '>')
       .replace(/\\x3C/g, '<')
       .replace(/\\x22/g, '"')
       .replace(/\\x27/g, "'")
       .replace(/\\x26/g, '&')
       .replace(/\\u00A0/g, '\u00A0')
       .replace(/\\n/g, '\n')
       .replace(/\\t/g, '\t');

    return s.replace(/\\\\/g, '\\');
}

Kiaochow answered 25/6, 2019 at 7:11 Comment(1)

not working for me. it can't escape double quotes – Danilodanio 3/4, 2021 at 22:40

I have done a sample one using jQuery

var descr = 'test"inside"outside';
$(function(){
   $("#div1").append('<a href="#" onclick="DoEdit(descr);">Click Me</a>');       
});

function DoEdit(desc)
{
    alert ( desc );
}

And this works in Internet Explorer and Firefox.

Delorisdelorme answered 5/1, 2010 at 4:40 Comment(1)

Of course it does, because you aren't putting it directly in the attribute. To use your method, I'd have to create an array of JS strings, then do an arbitrary number of $("#divxxx")... assignments. Less than optimal, but thanks for the suggestion. – Argueta 5/1, 2010 at 5:14

May well be an exception, but recently I had to use this in a project:

elem.textContent.replace(/'/g, '\\\x27')

In this a11y bookmarklet: Highlighting image alt text

Probably due to being processed twice plus the bookmarklet requiring its own double quotes.

Bedpost answered 12/2, 2024 at 14:44 Comment(0)

Escape whitespace as well. It sounds to me like Firefox is assuming three arguments instead of one.   is the non-breaking space character. Even if it's not the whole problem, it may still be a good idea.

Plow answered 5/1, 2010 at 6:8 Comment(0)

You need to escape quotes with double backslashes.

This fails (produced by PHP's json_encode):

<script>
  var jsonString = '[{"key":"my \"value\" "}]';
  var parsedJson = JSON.parse(jsonString);
</script>

This works:

<script>
  var jsonString = '[{"key":"my \\"value\\" "}]';
  var parsedJson = JSON.parse(jsonString);
</script>

Nominalism answered 22/3, 2017 at 14:50 Comment(0)

-2

You can use the escape() and unescape() jQuery methods. Like below,

Use escape(str); to escape the string and recover again using unescape(str_esc);.

Satisfactory answered 4/4, 2019 at 16:33 Comment(1)

Use of the escape() function is discouraged. Use encodeURI() or encodeURIComponent() instead. developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/… – Spore 25/8, 2022 at 12:13

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags