Escaping quotes in Javascript variable from Classic ASP

Question

How can I escape quotes using a Classic ASP variable in javascript/jQuery? The ASP variable is taken from a DB. I'm using:

var goala = "<%=(goal_a)%>";

But obviously that appears as

var goala = "<p>testing "quotation" marks</p>";

when the page loads, which breaks the function with unexpected identifier.

edit: I'm using using jQuery not "how can I achieve this using jQuery" sorry wasn't clear.

Any ideas? Thanks

Answer 1

It has been a while I dealt with this stuff. You have to encode your data to use it inside an attribute. Try this.

<%=server.HTMLEncode(goal_a)%>

Answer 2

Adapting the answer for another language gives a more robust solution:

Function JavascriptStringEncode(text)
    If IsEmpty(text) Or text = "" Or IsNull(text) Then
        JavascriptStringEncode = text
        Exit Function
    End If

    Dim i, c, encoded, charcode
    ' Adapted from https://stackoverflow.com/q/2920752/1178314
    encoded = ""
    For i = 1 To Len(text)
        c = Mid(text, i, 1)
        Select Case c
            Case "'"
                encoded = encoded & "\'"
            Case """"
                encoded = encoded & "\"""
            Case "\"
                encoded = encoded & "\\"
            Case vbFormFeed
                encoded = encoded & "\f"
            Case vbLf
                encoded = encoded & "\n"
            Case vbCr
                encoded = encoded & "\r"
            Case vbTab
                encoded = encoded & "\t"
            Case "<" ' This avoids breaking a <script> content, in case the string contains "<!--" or "<script" or "</script"
                encoded = encoded & "\x3C"
            Case Else
                charcode = AscW(c)
                If charcode < 32 Or charcode > 127 Then
                    encoded = encoded & GetJavascriptUnicodeEscapedChar(charcode)
                Else
                    encoded = encoded & c
                End If
        End Select
    Next 

    JavascriptStringEncode = encoded
End Function

' Taken from https://stackoverflow.com/a/2243164/1178314
Function GetJavascriptUnicodeEscapedChar(charcode)
    charcode = Hex(charcode)
    GetJavascriptUnicodeEscapedChar = "\u" & String(4 - Len(charcode), "0") & charcode
End Function

It is done also with the help of this answer on how to get the javascript unicode escaping, and it has the benefits explained in this other answer.

Note that I have not specially escaped " and ' as suggested in that other answer, because I consider that in an html "regular" context (attribute values by example), a HTMLEncode must be additionally done anyway, and it will take care of quotes (and of ampersands, ...).
< is still specially handled due to the <script> context case, where HTMLEncode cannot be used (it won't be html decoded from the Javascript code standpoint, when used inside a <script> tag). See here for more on the <script> case.

Of course, a way better solution is to avoid putting any Javascript directly in the HTML, but have it all in separated Javascript files. Data should be given through data- attributes on html tags.

Answer 3

You've asked how to do this "Using jQuery." You can't. By the time jQuery would be involved, the code would already be invalid. You have to fix this server-side.

Classic ASP is unlikely to have anything built-in that will help you solve this in the general case.

Note that you have to handle more than just " characters. To successfully output text to a JavaScript string literal, you'll have to handle at least the quotes you use (" or '), line breaks, any other control characters, etc.

If you're using VBScript as your server-side language, you can use Replace to replace the characters you need to replace:

var goala = "<%=Replace(goal_a, """", "\""")%>";

Again, though, you'll need to build a list of the things you need to handle and work through it; e.g.

var goala = "<%=Replace(Replace(Replace(goal_a, """", "\"""), Chr(13), "\n"), Chr(10), "\r")%>";

...and so on.

If your server-side language is JScript, you can use replace in much the same way:

var goala = "<%=goal_a.replace(/"/g, "\\\").replace(/\r/g, "\\r").replace(/\n/g, "\n")%>";

...and so on. Note the use of regular expressions with the g flag so that you replace all occurrences (if you use a string for the first argument, it just replaces the first match).