Escape String in PHP For JavaScript To Use

Question

I am receiving some code through AJAX and handling it like so:

$verifiedSubject = addslashes(htmlentities($_REQUEST['subject']));
$verifiedBody = addslashes(htmlentities($_REQUEST['body']));
$verifiedAttachment1 = addslashes(htmlentities($_REQUEST['attachment1']));
$verifiedAttachment2 = addslashes(htmlentities($_REQUEST['attachment2']));

echo '<div id="subject" style="text-decoration: underline; cursor:pointer; display: inline; margin-bottom: 2%;" onclick=\'readmore("'.json_encode($verifiedSubject).'", "'.json_encode($verifiedBody).'", "'.json_encode($verifiedAttachment1).'", "'.json_encode($verifiedAttachment2).'")\'>';
echo $_REQUEST['subject'];
echo '</div>';

In the above code I am attempting to convert any HTML code to entities, add slashes to escape single and double quotes, and then json_encode() it for JavaScript to handle in an onclick function.

However, when the text is clicked to inititate the onclick I get this error:

Uncaught SyntaxError: missing ) after argument list

I've tried a variety of PHP functions to try and properly escape this string but nothing seems to work. Can anybody help me out?

Update of page source:

<script>
var date = "Monday, November 16th, 2015 Announcements";
formatAnnouncement( '55', 
                    'Hi',
                    '<b  rgb(0, 0, 0); font-family: Arial, Helvetica, sans; font-size: 11px; line-height: 14px; text-align: justify;\">Lorem Ipsum</b><span  rgb(0, 0, 0); font-family: Arial, Helvetica, sans; font-size: 11px; line-height: 14px; text-align: justify;\">&nbsp;is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry\'s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</span>',
                    '0',
                    '',
                    '',
                    '******',
                    '2015-11-16 16:53:23',
                    date
                    );
</script>

Answer 1

It looks like the result that it's echoing has too many quotation marks. Try this:

echo '<div id="subject" style="text-decoration: underline; cursor:pointer; display: inline; margin-bottom: 2%;" onclick=\'readmore('.json_encode($verifiedSubject).', '.json_encode($verifiedBody).', '.json_encode($verifiedAttachment1).', '.json_encode($verifiedAttachment2).')\'>';
echo $_REQUEST['subject'];
echo '</div>';

Answer 2

You're doing it wrong. json_encode() does EVERYTHING you need to simply use the resulting string as an assignable "value". e.g.

<?php

$foo = 'bar';
?>

<script>
    var test1 = <?php echo json_encode($foo); ?>;   // this works
    var test2 = "<?php echo json_encode($foo); ?>; // this doesn't

What you'll end up with is:

var test1 = "bar";
var test2 = ""bar"";  //syntax error - two empty strings with undefined var between them

So what you should have in your code is:

echo '<div id="subject" style="text-decoration: underline;
   cursor:pointer; display: inline; margin-bottom: 2%;"
  onclick=\'readmore('.json_encode($verifiedSubject). ', '. 
                      ^--no "                          ^-^--ditto 
  etc...

There's no need for the addslashes, because json will escape everything that's necessary to turn your values into a "safe" javascript string representation. However, since you are embedding this json text inside an html onclick, the htmlentities is most likely required, to prevent " chars from "breaking out" of the html.