Reputation: 9658
Escaping Javascript in PHP
I'm looking for the best way to escape some Javascript text in PHP, and json_encode is the wrong tool for the job.
The problem comes from this line:
echo " onclick=\"SwitchDiv('" . $option . "')\"";
$option, this is a juicy ball of client-side fail. But doing a straight json_encode (which works perfectly well in other contexts) doesn't help:
echo " onclick=\"SwitchDiv(" . json_encode($option) . ")\"";
onclick="SwitchDiv("athlete's foot")", resulting in premature termination of the onclick value. (Which also happens if I enclose the onclick value in single quotes.)
Is there an elegant way around this? Should I just funnel the json_encode output through a regex that will escape the single quotes?
Upvotes: 0
Views: 90
Answers (1)
Reputation: 43158
json_encode is the right tool for the job. Your problem arises from the fact that you are also including that Javascript in an HTML attribute, thus it also needs to be htmlspecialchars-encoded.
echo " onclick=\"SwitchDiv(" . htmlspecialchars(json_encode($option)) . ")\"";
Upvotes: 3
Related Questions
- PHP escaping characters
- Escaping this javascript code in php
- Escaping HTML in JavaScript
- Escape String in PHP For JavaScript To Use
- JavaScript escape characters coming from PHP
- JS inside PHP Escape String (for functions)
- How to escape this JavaScript variable in PHP
- Escape quotes when building javascript from php
- How to escape Javascript code that is echoed in PHP
- Escaping special characters in JavaScript