472,958 Members | 2,411 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,958 software developers and data experts.

Javascript escaping madness

Hello everyone,
While I'm a newbie here, I a not new to google, so please don't send
me back, it would be useless.
First of all I have to specify I am working on a Blogger.com template,
therefore anything I'll write should be stuck on a single file.
I thought about creating a funny pop-up.
<a href="javascript:myFunction();"...
that's because, as you will see, the code for the popup is pretty
complex.
I've insterted myFunction somewhere in the file.
First question: according to the w3c validator, the only way to
include complex script, including string variables with HTML tags in
them, is to insert HTML comments?
Then, I've started by building a window caled myPopup and then
myPopup.document.write("<html>");...
The second question: is there a recommended way to insert string
constants in inline scripts? (AFAIK single quotes were recommended,
w3c also choked on double quotes, Mozilla does not like double quotes
too)
Then we had something more complex: html tags with attributes. I had
managed to insert them using escaping character such as
myPopup.document.write(' <p style= \' align:top \' > ');
But next, on the popup I had to inject some fancy inline JS code.
Third question: how would I, following the document.write way, insert
in the popup a code like:
<a href="#" onclick="if(document.all){bResult =
window.clipboardData.setData('Text',document.selec tion.createRange().text;}">
or maybe
<a href='#' onclick='if(document.all){bResult =
window.clipboardData.setData("Text",document.selec tion.createRange().text;}'>
Fourth, is there any difference between the two previous anchors in
the way they are written? Is one of the two forms recomended?
(somehow, it is the same question with the first one)
As you can see, two types of quotes are needed, and they should be
written through document.write. Is that even possible?
TIA,
LS.
Jul 23 '05 #1
5 2123
On 30 Jul 2004 15:38:29 -0700, Lucian Sandor <lu********@gmail.com> wrote:
Hello everyone,
While I'm a newbie here, I a not new to google, so please don't send
me back, it would be useless.
First of all I have to specify I am working on a Blogger.com template,
therefore anything I'll write should be stuck on a single file.
I thought about creating a funny pop-up.
<a href="javascript:myFunction();"...
Don't use this form. It causes several problems, not least of which
results in a page that is completely unusably by users that disable
JavaScript.

<URL:http://www.jibbering.com/faq/#FAQ4_24>
that's because, as you will see, the code for the popup is pretty
complex.
I've insterted myFunction somewhere in the file.
First question: according to the w3c validator, the only way to
include complex script, including string variables with HTML tags in
them, is to insert HTML comments?
This "error" is documented by the validator:

<URL:http://validator.w3.org/docs/help.html#faq-javascript>

Basically, the validator interprets "</" anywhere within the block as the
end of the SCRIPT element, even if the closing tag is not for a SCRIPT
element (browsers are allowed to do this!) When it examines the tag more
closely, it discovers that is not "</SCRIPT>" as it expects, hence the

end tag for element "..." which is not open

message. The solution, included in the validator's FAQ *and* the HTML
specification, is to escape the forward slash. That is, change

var myHTML = '<a href="myPage.html">Link</a>';

to

var myHTML = '<a href="myPage.html">Link<\/a>';

Whilst this has no effect on the script (in that regard, the lines are
identical), the HTML parser won't see "</".

Another solution is simply to remove the embedded script and place it in a
separate file.
Then, I've started by building a window caled myPopup and then
myPopup.document.write("<html>");...
It might be easier to create a skeleton HTML file, dynamically modifying
that, rather than creating it from scratch. Writing valid HTML (something
you should always endeavour to do) purely with document.write() calls is a
waste of time.
The second question: is there a recommended way to insert string
constants in inline scripts? (AFAIK single quotes were recommended,
w3c also choked on double quotes, Mozilla does not like double quotes
too)
You'll have to explain what you mean here. Define "insert string
constants" and your idea of "inline scripts". My notion of the latter is a
SCRIPT element with the code embedded, as opposed to a SCRIPT element with
the src attribute. Perhaps you mean intrinsic events? I'll assume that for
the moment.

If you need to include a double quote (") within a HTML attribute value,
you need to use entity references, just as you would with normal text:

<a onclick="myWin.document.write(&quot;Some text&quot;);return false">

To the JavaScript engine, this would be interpreted as:

myWin.document.write("Some text");return false
Then we had something more complex: html tags with attributes. I had
managed to insert them using escaping character such as
myPopup.document.write(' <p style= \' align:top \' > ');
Just covered that.
But next, on the popup I had to inject some fancy inline JS code.
Again, a shaky definition - "inline" - so I'll still assume intrinsic
events.
Third question: how would I, following the document.write way, insert
in the popup a code like:
<a href="#" onclick="if(document.all){bResult =
window.clipboardData.setData('Text',document.selec tion.createRange().text;}">
or maybe
<a href='#' onclick='if(document.all){bResult =
window.clipboardData.setData("Text",document.selec tion.createRange().text;}'>
I wouldn't recommend including such large amounts of code directly inside
an intrinsic event. You should limit the contents to a few simple
statements. Anything more complicated should be wrapped in a function. It
aids in debugging as you don't have to search a single, massive line. You
also avoid this whole debacle because there will be no nested strings
(they'll be in the SCRIPT block).

If you do want to persist, use entity references as I explained above.
Fourth, is there any difference between the two previous anchors in
the way they are written? Is one of the two forms recomended?
(somehow, it is the same question with the first one)
As you can see, two types of quotes are needed, and they should be
written through document.write. Is that even possible?


If you've taken my advice on board, these final questions shouldn't matter
anymore. However, I would stick to whatever format you use in your HTML.

Personally, I always use double quotes for HTML attributes, and single
quotes for JavaScript strings. This allows me to place double quotes
inside strings (which I do more often than apostrophes), and place strings
inside attribute values. That is:

'<a href="myPage.html">Link<\/a>'

and

onclick="showTitle('Introduction')"

If I needed to do both, you'd have to escape the internal double quotes as
character entities, irrespective of which quote type was outer- or
innermost.

Hope that helps,
Mike

--
Michael Winter
Replace ".invalid" with ".uk" to reply
Jul 23 '05 #2
"Michael Winter" <M.******@blueyonder.co.invalid> wrote in message news:<opsby5bnqcx13kvk@atlantis>...
On 30 Jul 2004 15:38:29 -0700, Lucian Sandor <lu********@gmail.com> wrote:
Hello everyone,
While I'm a newbie here, I a not new to google, so please don't send
me back, it would be useless.
First of all I have to specify I am working on a Blogger.com template,
therefore anything I'll write should be stuck on a single file.
I thought about creating a funny pop-up.
<a href="javascript:myFunction();"...
Don't use this form. It causes several problems, not least of which
results in a page that is completely unusably by users that disable
JavaScript.

<URL:http://www.jibbering.com/faq/#FAQ4_24>

I am aware of this recommendation, but this is a Blogger.com specific
issue. I would be glad to separate JS, HTML and CSS files, but this
option isn't available.
.....
The second question: is there a recommended way to insert string
constants in inline scripts? (AFAIK single quotes were recommended,
w3c also choked on double quotes, Mozilla does not like double quotes
too)


You'll have to explain what you mean here. Define "insert string
constants" and your idea of "inline scripts". My notion of the latter is a
SCRIPT element with the code embedded, as opposed to a SCRIPT element with
the src attribute. Perhaps you mean intrinsic events? I'll assume that for
the moment.

You are right, "inline" should be understood as scripts inserted in
the HTML file, as opposed to separate JS files.
If you need to include a double quote (") within a HTML attribute value,
you need to use entity references, just as you would with normal text:

<a onclick="myWin.document.write(&quot;Some text&quot;);return false">

To the JavaScript engine, this would be interpreted as:

myWin.document.write("Some text");return false

This is a good idea. I see already that the script is running already
in IE.

.... Hope that helps,
Mike

It helped indeed. Thank you.
Regards,
LS.
Jul 23 '05 #3
Lucian Sandor wrote:
"Michael Winter" <M.******@blueyonder.co.invalid> wrote in message news:<opsby5bnqcx13kvk@atlantis>...


Please do not write attribution novels.
On 30 Jul 2004 15:38:29 -0700, Lucian Sandor <lu********@gmail.com> wrote:
> Hello everyone,
> While I'm a newbie here, I a not new to google, so please don't send
> me back, it would be useless.
> First of all I have to specify I am working on a Blogger.com template,
> therefore anything I'll write should be stuck on a single file.
> I thought about creating a funny pop-up.
> <a href="javascript:myFunction();"...


Don't use this form. It causes several problems, not least of which
results in a page that is completely unusably by users that disable
JavaScript.

<URL:http://www.jibbering.com/faq/#FAQ4_24>

I am aware of this recommendation, but this is a Blogger.com specific
issue. I would be glad to separate JS, HTML and CSS files, but this
option isn't available.
....


You probably want

<script type="text/javascript">
document.write(
'<a href="#" onclick="myFunction(); return false">...<\/a>');
</script>

then.
If you need to include a double quote (") within a HTML attribute value,
you need to use entity references, just as you would with normal text:

<a onclick="myWin.document.write(&quot;Some text&quot;);return false">

To the JavaScript engine, this would be interpreted as:

myWin.document.write("Some text");return false


This is a good idea. I see already that the script is running already
in IE.


You should include a non-empty "href" attribute as well. An "a" element
without both the "href" attribute and one of "id" or "name" is just
nothing -- no hyperlink, no anchor. There are user agents which will
ignore the event handler because of this. You should always test your
scripts/documents with more than one user agent. If it works in IE, it
is simply not enough, because IE makes gold of every sh*t.
PointedEars
Jul 23 '05 #4
JRS: In article <41**************@PointedEars.de>, dated Sat, 31 Jul
2004 18:09:58, seen in news:comp.lang.javascript, Thomas 'PointedEars'
Lahn <Po*********@nurfuerspam.de> posted :
Lucian Sandor wrote:
"Michael Winter" <M.******@blueyonder.co.invalid> wrote in message news:<opsby

5bnqcx13kvk@atlantis>...

Please do not write attribution novels.


Fewmets.

Read
http://www.ietf.org/internet-drafts/...article-13.txt
http://www.ietf.org/internet-drafts/...-useage-00.txt
which indicate current thinking.

Lahn puts a naive degree of credence in a local document which is
without general authority, and in his own importance.

--
John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 MIME
Web <URL:http://www.uwasa.fi/~ts/http/tsfaq.html> -> Timo Salmi: Usenet Q&A.
Web <URL:http://www.merlyn.demon.co.uk/news-use.htm> : about usage of News.
No Encoding. Quotes before replies. Snip well. Write clearly. Don't Mail News.
Jul 23 '05 #5
Thomas 'PointedEars' Lahn babbled incoherently while quoting an
attribution line which included no extraneous information:
Lucian Sandor wrote:
"Michael Winter" <M.******@blueyonder.co.invalid> wrote in message news:<opsby5bnqcx13kvk@atlantis>...

Please do not write attribution novels.


Please stop your whining about inconsequential things, it detracts from
what you actually do know.
Jul 23 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

13
by: Kai Grossjohann | last post by:
It seems that Ctrl-N in Mozilla opens a new empty browser window. That's fine, I don't need to do anything about it. But Ctrl-N in IE appears to clone the current window. Is there a way to...
7
by: Richard Trahan | last post by:
I need a javascript function to hex-encode a plus sign so I can pass the plus sign as an argument in a GET request. escape() and encodeURI() don't do it (and probably shouldn't, because '+' is a...
9
by: indi | last post by:
I've spent the last two hours trying every other solution listed, to no avail: this works, so I'm sharing it for the other folks who couldn't find a solution other than switching to another...
1
by: Kayvine | last post by:
Hi guys, this is a question I have for an assignment, it is pretty long, but I am not asking for the code(well if someone wants to write I'll be really happy, lol), but I just want to know how to...
1
by: Jonny B | last post by:
I've been working on an xsl transfomation on the clientside using JavaScript for a few days now and have been pulling my hair out because Mozzilla doesnt support output escaping but Internet Explorer...
12
by: pantagruel | last post by:
Hi, I'm thinking of making a WScript based JavaScript library, I can think of some specific non-browser specific scripting examples that should probably make it in, like Crockford's little...
1
by: NvrBst | last post by:
I want to use the .replace() method with the regular expression /^ %VAR % =,($|&)/. The following DOESN'T replace the "^default.aspx=,($|&)" regular expression with "":...
78
by: Jeremy J Starcher | last post by:
(Request for Discussion) I've put together a guide that I hope will help novice coders avoid the same hair pulling that I went through. I'm open for comments about it. Have I missed the...
2
by: DJRhino | last post by:
Was curious if anyone else was having this same issue or not.... I was just Up/Down graded to windows 11 and now my access combo boxes are not acting right. With win 10 I could start typing...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 4 Oct 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
0
tracyyun
by: tracyyun | last post by:
Hello everyone, I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
4
NeoPa
by: NeoPa | last post by:
Hello everyone. I find myself stuck trying to find the VBA way to get Access to create a PDF of the currently-selected (and open) object (Form or Report). I know it can be done by selecting :...
3
NeoPa
by: NeoPa | last post by:
Introduction For this article I'll be using a very simple database which has Form (clsForm) & Report (clsReport) classes that simply handle making the calling Form invisible until the Form, or all...
1
by: Teri B | last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course. 0ne-to-many. One course many roles. Then I created a report based on the Course form and...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM) Please note that the UK and Europe revert to winter time on...
3
by: nia12 | last post by:
Hi there, I am very new to Access so apologies if any of this is obvious/not clear. I am creating a data collection tool for health care employees to complete. It consists of a number of...
0
NeoPa
by: NeoPa | last post by:
Introduction For this article I'll be focusing on the Report (clsReport) class. This simply handles making the calling Form invisible until all of the Reports opened by it have been closed, when it...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.