html special chars in tag onclick

Question

I have a tag with onclick event, like that:

onclick="cl_showEvents({ 
    'posts' :     
    [{
        'CategoryName':'categoryName',
        'postID':'1',
        'title':'title',
        'address':'address',
        'time':'00:00'}]
    })"

It works fine, until an escape sequence is issued, like so:

onclick="cl_showEvents({ 
    'posts' :     
    [{
        'CategoryName':'categoryName',
        'postID':'1',
        'title':'title',
        'address':'streetName st'',
        'time':'00:00'}]
    })"

What do I miss?

Answer 1

It's not because the character is HTML encoded, it's just because it's an apostrophe. As you are using apostrophes as string delimiters, you have to escape the apostrophe inside the string:

onclick="cl_showEvents({ 
  'posts' :     
  [{
    'CategoryName':'categoryName',
    'postID':'1',
    'title':'title',
    'address':'streetName st\'',
    'time':'00:00'}]
  })"

Note that the apostrophe doesn't need to be HTML encoded, you can just use a regular apostrophe (and seeing the code like this makes it more obvious why the apostrophe needs escaping):

onclick="cl_showEvents({ 
  'posts' :     
  [{
    'CategoryName':'categoryName',
    'postID':'1',
    'title':'title',
    'address':'streetName st\'',
    'time':'00:00'}]
  })"

Answer 2

Put a backslash before the ampersand:

 'address':'streetName st\''

to avoid the converting of the entity &39; into the char it represents.

Answer 3

Not an answer to your question - I'm not sure how ' breaks this construction - but this is way too much stuff to put in a tag IMO. I would recommend moving the whole thing into a separate script in the bottom of the page or in a load/ DOMLoad event.

Sans jQuery:

document.getElementById("your_element").onclick = function() 
  {
   cl_showEvents({ 
   'posts' :     
    [{
    'CategoryName':'categoryName',
    'postID':'1',
    'title':'title',
    'address':'streetName st'',
    'time':'00:00'}]
    })

  }