Login/Register
Escaping Qualtrics piped text for use in javascript (more generally, how to safely escape user-generated text)
Asked Answered
javascriptsecurityescapingqualtrics
M

2

14

In my Qualtrics survey I have a free-response (textbox) question. I'd like to get the response to this question into javascript so I can do some complicated text processing and post the result to an external page.

It looks like the official Qualtrics way to do that is to use the piped text code:

var answer = "${q://QID1/ChoiceTextEntryValue}"

But this generates javascript code with the literal response inserted into the code. If a survey-taker puts a quote mark in their response, it will break the code. I've also verified that it can be used to inject arbitrary javascript!

Is there any way to assign a user-generated value to a variable safely?

What I've tried:

  • It would be nice if there were an API call that put the response directly into a javascript variable without having to use piped text. I've examined their API documentation and talked to tech support, and it doesn't look like such a function exists.
  • It would also be helpful if Qualtrics had a built-in feature for character substitution that I could use to strip quotes, but I don't think it does.
  • I could use response validation to prevent respondents from submitting a response that has quote marks in it. This is the only workable solution I've come up with, but it would be annoying for users.
Meakem answered 2/12, 2014 at 18:30 Comment(1)
I have this problem too. I would love a solution. Currently I'm using response validation to prevent a user from entering quotes, which is silly.Southwestwardly
S
0

I'm a bit late to the party, but by following this support ticket, I was able get the question response text like so:

Qualtrics.SurveyEngine.addOnPageSubmit(function()
{

/* Get current question ID (e.g. 'QID10') */
var qid_str = this.questionId;

/* console log to check what ID was capture (you can comment this line)*/
console.log('Question is: QR~' + qid_01_str)

// Save the current question's response value QR~QID247~TEXT
var responseTextField = document.getElementById('QR~' + qid_str);
var currentResponse = responseTextField.value;

/* console log to see what was captured (you can comment this line too)*/
console.log('response text is: ' + currentResponse)

});

This solved my own problems with double quotes in piped text breaking things. Hopefully it helps some other SO archaeologist like myself who has this problem as well!

Southwestwardly answered 23/2, 2021 at 3:39 Comment(1)
Can you explain what that does in layman terms please? What is the "escape character"? For example: replace all ~ characters with two ~ characters and then replace all " characters with one ~ characters (as is done in various datacom protocols--avoids ~ vs. " ambiguity).Superbomb
R
0

Again a little late - perhaps you've moved on or found a solution? Can you confirm that you are talking about manipulating a text string (whether it be sourced from a text box in the survey or imported via a contact list upload) in Javascript? If so I've just come across some good info here How To Work with Strings in JavaScript where it talks about using the back tick instead of single or double quote to encase the piped text. This then allows the string to be used / recorded in its literal sense and taking into account apostrophes and double quotes in the string.

so instead of : var answer = "${q://QID1/ChoiceTextEntryValue}"

you replace the double quotes with backticks. I'm afraid I can't post it here as the code tool here uses backticks!!

Raji answered 23/4, 2021 at 9:4 Comment(1)
that will not always work since you will be unable to differentiate between backticks and double quotesSuperbomb

© 2022 - 2024 — McMap. All rights reserved.