why using javascript escape character of quotation in string need to be \\' instead of \'

Question

I just having a problems with javascript i am using on code behind on asp.net, after a few hour of figuring it out it turn out to be the problem of escape character.

At first i use this.

ScriptManager.RegisterStartupScript(this, this.GetType(), "temp", "alert('Can't delete this data because it is bound with rate plan');", true);

This will made javascript error because quotation at "can't" need to use escape character so i use.

ScriptManager.RegisterStartupScript(this, this.GetType(), "temp", "alert('Can\'t delete this data because it is bound with rate plan');", true);

but it still not work.

at last i use

ScriptManager.RegisterStartupScript(this, this.GetType(), "temp", "alert('Can\\'t delete this data because it is bound with rate plan');", true);

and it is fine.

i am just curious why we need to use \\' instead of \' in order to make escape character works correctly.

Answer 1

Single quotes and apostrophes in names (such as O'Brian) are usually causing trouble in dynamic client scripts, because they'll break them and allow to insert malicious code (aka scripting attacks).

I have written the following C#6 extension method for code-behind to solve this:

public static class Extension
{
    public static string ToSQEscapedStringJS<T>(this T unescapedStr)
    {
        if (unescapedStr == null || unescapedStr.ToString() == "")
        {
            return "''";
        }
        // replace ' by @@@
        var escapedStr = (unescapedStr).ToString().Replace("'", "@@@"); 
        // JS code to replace @@@ by '
        string unEscapeSQuote = "replace(/@{3}/g, String.fromCharCode(0x27))"; 
        // add @@@ escaped string with conversion back to '
        return $"('{escapedStr}'.{unEscapeSQuote})"; 
    }
}

Its usage is simple. Consider the following dynamic script example:

// contains apostroph (aka single quote) and is dangerous for your script block
var name = "O'Brian"; 
var nameEscp = name.ToSQEscapedStringJS(); // creates JS expression from it
// building up the script
string strScript = 
   $"<script>window.opener.document.forms(0).{control.Value}.value = {nameEscp};</script>";
ClientScript.RegisterClientScriptBlock(this.GetType(), "anything", strScript);

Note that nameEscp is already surrounded by single quote so you can safely place it after the =.

The trick is that the string is escaped and upon assignment immediately unescaped (by executing a JavaScript expression) on the fly, i.e.

.value = ('O@@@Brian'.replace(/@{3}/g, String.fromCharCode(0x27));

will be the inserted assignment expression which will be sent to the client as script. After execution, .value contains O'Brian.

Answer 2

Because "\" is the escaping character for C# too.

I'd prefer to use @ special operator at the beggining of your string, just before it starts it, because it tells C# that it mustn't process escaping characters.

For example:

ScriptManager.RegisterStartupScript(this, this.GetType(), "temp", @"alert('Can\'t delete this data because it is bound with rate plan');", true);

Anyway, I don't find the point of a single quot. You can avoid escaping this single quot by using double-quot string notation:

ScriptManager.RegisterStartupScript(this, this.GetType(), "temp", "alert(\"Can't delete this data because it is bound with rate plan\");", true);

I don't understand the abuse of single quot in JavaScript if I don't remember there're a lot of PHP coders contributing scripts, since this language behaves in a different way depending of single or double-quoted strings.

Anyway, you can check this other question about single and double-quoting in JavaScript:

• When to use double or single quotes in JavaScript?

Answer 3

When you use \\ it escapes to \ in the actual javascript which escapes the character. You are essentially escaping twice

Answer 4

In a c# string, \ needs to be escaped, as it is a special prefix for things like \n etc. You may find it easier to use a verbatim strig literal, which doesn't need escaping (except for " to "").

For example:

@"... can\'t ..."

Note the leading @ before the string literal, which indicates the usage of the alternative escaping rules. This also allows newlines etc directly in the string, i.e.

@"foo
bar
blip"

Answer 5

\ is an escape character in C# and in JavaScript.

When you give C# "\'" is creates a string containing an apostrophe.

When you give C# "\\'" then the first \ escapes the second \ (so the second \ isn't treated as an escape character) and the ' is treated as a plain ' (because the string is not delimited with '.