FAQ Topic - How do I get a jsp/php variable into client-side javascript? (2010-05-03)

[FAQ server]

-----------------------------------------------------------------------
FAQ Topic - How do I get a jsp/php variable into
client-side javascript?
-----------------------------------------------------------------------

Use the server-side language to generate the javascript:

// JSP
var jsvar = "${ jspVar }";
// PHP
var jsvar = "<?php echo $phpVar ?>";

If an inline-script tag is used, the string must not contain any
markup-significant characters such as ` < `, ` > `, ` & `, ` ' ` or ` " `. Such
characters must be converted HTML entities on the server.

http://www.w3.org/TR/html4/sgml/entities.html


The complete comp.lang.javascript FAQ is at
http://jibbering.com/faq/

 

[David Mark]

Why jsp/php? This doesn't apply to ASP, Python, etc.?

Use the server-side language to generate the javascript:

That's an awkward way to put it. You can't use anything else but a
language when programming. Is this supposed to be as opposed to the
server-side tractor?

// JSP
var jsvar = "${ jspVar }";
// PHP
var jsvar = "<?php echo $phpVar ?>";

If an inline-script tag is used, the string must not contain any
markup-significant characters such as ` < `, ` > `, ` & `, ` ' ` or ` " `. Such
characters must be converted HTML entities on the server.

An inline-script tag? Is that some sort of secret code for attribute
value? And do you really need to use an entity for single-quotes if the
attribute value is delimited by double quotes. Wouldn't surprise me if
that's a rule, but it certainly isn't a requirement in any browser I've
used.

The linked w3c reference document is of little use for beginners.

 

[Garrett Smith]

Why jsp/php? This doesn't apply to ASP, Python, etc.?

The question need not include all languages. What is written should not
be confusing.

That's an awkward way to put it. You can't use anything else but a
language when programming. Is this supposed to be as opposed to the
server-side tractor?

It is apparently a contrast to the client side scripting language.

An inline-script tag? Is that some sort of secret code for attribute
value? And do you really need to use an entity for single-quotes if the
attribute value is delimited by double quotes. Wouldn't surprise me if
that's a rule, but it certainly isn't a requirement in any browser I've
used.

Changed to "inline script".

The character `&` prevents the page from validating. A quote mark can
terminate a string or terminate the attribute of generated strings of
HTML. Angle brackets can affect the HTML.

var userSubmitted = "${param.userName}";

myElement.innerHTML = "<h1 title='" + userSubmitted + "'>...

When param.userNamecontains something that looks like a closing tag, it
can terminate the script. For example: "</script>" would end the script
block.

If double quotes are used exclusively, the single quote mark need not be
escaped.

The linked w3c reference document is of little use for beginners.

Depends. I learned by reading w3c specifications such as HTML 4,
starting from early on.

 

[Garrett Smith]

FAQ server wrote:

[...]


Changed to "inline script".

Locally. Looks like server is down. Can anyone connect to jibbering.com?
I can't open ssh, either.

 

[Thomas 'PointedEars' Lahn]

Why jsp/php? This doesn't apply to ASP, Python, etc.?

The question need not include all languages. What is written should not
be confusing.

That's an awkward way to put it. You can't use anything else but a
language when programming. Is this supposed to be as opposed to the
server-side tractor?

It is apparently a contrast to the client side scripting language.

AISB, if specific examples are given, it is a good idea recommend the proper
escaping approaches; addslashes() for PHP in this example.

The madness of using spaced backticks as delimiter in the text version
becomes obvious here.

No.

It is neither a rule nor a requirement.

Changed to "inline script".

The character `&` prevents the page from validating.

Nonsense. It prevents the content of _XHTML_ `script' elements that is not
declared as CDATA from validating.

A quote mark can terminate a string or terminate the attribute of
generated strings of HTML.
True.

Angle brackets can affect the HTML.

var userSubmitted = "${param.userName}";

myElement.innerHTML = "<h1 title='" + userSubmitted + "'>...

That is perfectly valid code.

When param.userNamecontains something that looks like a closing tag,

There is no such thing as a "closing tag". That syntax element is called
"end tag".

it can terminate the script. For example: "</script>" would end the script
block.

In HTML. Not in XHTML within a block declared as CDATA.

Depends. I learned by reading w3c specifications such as HTML 4,
starting from early on.

Much to learn, still you have.â„¢


PointedEars

 

[John G Harris]

There is no such thing as an angle bracket.

<snip>

There is in Unicode; they have no special significance in HTML.

John

 

[Eric Bednarz]

I don ISO 8879 name for “closing a tag†is still ‘end-tag’.

Bad Gnus!

s/I don/The/

 

[David Mark]

AISB, if specific examples are given, it is a good idea recommend the proper
escaping approaches; addslashes() for PHP in this example.


The madness of using spaced backticks as delimiter in the text version
becomes obvious here.


No.

That's what I thought.

It is neither a rule nor a requirement.

It would be a very silly rule if it were (and one I've never followed).

Nonsense. It prevents the content of _XHTML_ `script' elements that is not
declared as CDATA from validating.
Right.


There is no such thing as an angle bracket. And the `<' and `>' characters
can affect HTML only in specific context.

As in, they must be entities in attribute values. That and the end tag
issue in string literals is all I can think of.

That is perfectly valid code.

Sure. And if you used an end tag:-

myElement.innerHTML = "<h1 title='" + userSubmitted + "'><\/h1>";

(assuming it is not in a CDATA block of course). It's unlikely (but
possible) that the above will foul up HTML, but if a SCRIPT element were
being constructed, it would definitely be a problem. Either way, the
extra backward slash is a good idea.

 

[Garrett Smith]

FAQ server wrote:

[...]


AISB, if specific examples are given, it is a good idea recommend the proper
escaping approaches; addslashes() for PHP in this example.

addslashes for php example, OK.

${ fn:escapeXml( jspVar ) }

<?php addslashes($str); ?>

[...]

I should be able to post a revised draft within the next day.

I do not actually know of a JSP tag or function to escape backslash in
string. `fn:escapeXml` does not. Java code would be as obscene in the
FAQ as it would be in a JSP. Maybe changing or removing the languages
mentioned in the question is a good idea after all, heh.

Example of this in another language, say ruby or python?

It is neither a rule nor a requirement.


Nonsense. It prevents the content of _XHTML_ `script' elements that is not
declared as CDATA from validating.

Right; what the hell was I thinking?! That needs to be either removed or
changed so that it makes sense. There ARE cases where & needs to be an
entity, where you want to set innerHTML to "Ben &amp; Jerry&apos;s";

In the script tag, it would certainly not prevent the page from
validating. I'll remove that one.

That is perfectly valid code.

When the value of param.userName contains a single quote mark, it is
going to be a problem.

There is no such thing as a "closing tag". That syntax element is called
"end tag".


In HTML. Not in XHTML within a block declared as CDATA.

If the document is served as text/html content type, the HTML parser is
used and in that case it makes no difference; the token </script>, would
close the script tag.

 

[Thomas 'PointedEars' Lahn]

<?php addslashes($str); ?>

[...]

I'll look into the rest later.


PointedEars

 

[nick]

  <?php echo addslashes($str); ?>

In production code designed to run under an unknown PHP configuration
and version, addslashes should not be used on values coming from GET,
POST, or cookies without first checking that the "magic_quotes_gpc"
config setting (deprecated as of 5.3.0) is not enabled.

In other words, I think this example is a bit of an
oversimplification. It might be better to explain that text must be
escaped properly before outputting, pointing out the issues identified
in this thread, and then leave the actual example of outputting the
data as simple as possible:

<?php echo $str; ?>

/2c

 

[Garrett Smith]

In production code designed to run under an unknown PHP configuration
and version, addslashes should not be used on values coming from GET,
POST, or cookies without first checking that the "magic_quotes_gpc"
config setting (deprecated as of 5.3.0) is not enabled.

In other words, I think this example is a bit of an
oversimplification. It might be better to explain that text must be
escaped properly before outputting, pointing out the issues identified
in this thread, and then leave the actual example of outputting the
data as simple as possible:

<?php echo $str; ?>

/2c

The FAQ says to do one thing and then shows another, so that's a bit of
a problem.

OTOH, showing the right way to do it seems to be too much for the FAQ Entry.

What we need is one or two good example pages to link to.

PHP: <linkout>
JSP: <linkout>
BFD: <linkout>
WTF: <linkout>
ETC: <linkout>

 

[Garrett Smith]

On May 4, 6:50 pm, Thomas 'PointedEars' Lahn <[email protected]>
wrote:

[...]

What we need is one or two good example pages to link to.

In JSP, using Apache Commons: org.apache.commons.lang.StringEscapeUtils

var jsvar = "<%= StringEscapeUtils.escapeJavaScript(jspVar) %>";

http://commons.apache.org/lang/api-...eJavaScript(java.io.Writer, java.lang.String)

 

[Garrett Smith]

On May 4, 6:50 pm, Thomas 'PointedEars' Lahn <[email protected]>
wrote:

[...]

What we need is one or two good example pages to link to.

In JSP, using Apache Commons: org.apache.commons.lang.StringEscapeUtils

var jsvar = "<%= StringEscapeUtils.escapeJavaScript(jspVar) %>";

http://commons.apache.org/lang/api-...eJavaScript(java.io.Writer, java.lang.String)

| 11.3 How do I get a jsp/php variable into client-side javascript?
|
| Use the server-side language to generate the javascript. Some
| characters, such as reverse solidus and quote marks \ must be escaped
| by backslash.
|
| JSP example using Apache Commons StringEscapeUtils:
| var jsVar = "<%= StringEscapeUtils.escapeJavaScript(jspVar) %>";
|
| PHP example using addslashes:
| <?php echo addslashes($phpVar); ?>;
|
| * http://php.net/manual/en/function.addslashes.php
| *
http://commons.apache.org/lang/api-...eJavaScript(java.io.Writer, java.lang.String)

Suggestions and comments?

 

[Garrett Smith]

nick wrote:
On May 4, 6:50 pm, Thomas 'PointedEars' Lahn <[email protected]>
wrote:
[...]

What we need is one or two good example pages to link to.

In JSP, using Apache Commons: org.apache.commons.lang.StringEscapeUtils

var jsvar = "<%= StringEscapeUtils.escapeJavaScript(jspVar) %>";

http://commons.apache.org/lang/api-...eJavaScript(java.io.Writer, java.lang.String)

| 11.3 How do I get a jsp/php variable into client-side javascript?
|
| Use the server-side language to generate the javascript. Some
| characters, such as reverse solidus and quote marks \ must be escaped
| by backslash.
|

Revised.

| Use a server-side language to generate the javascript value.
|
| Certain characters of ECMAScript strings must be escaped by backslash.
| These include quote marks, backslash, and line terminators.

 

[Ivan S]

Revised.

| Use a server-side language to generate the javascript value.
|
| Certain characters of ECMAScript strings must be escaped by backslash.
| These include quote marks, backslash, and line terminators.

PHP's function "addslashes" doesn't cover all characters:

http://www.php.net/manual/en/function.addslashes.php

"Returns a string with backslashes before characters that need to be
quoted in database queries etc. These characters are single quote ('),
double quote ("), backslash (\) and NUL (the NULL byte)."

addcslashes (http://www.php.net/manual/en/function.addcslashes.php)
with list of above mentioned characters would be more appropriate.


Something like this:

<?php

$js_string = '...';

if (get_magic_quotes_gpc()) {
$js_string = stripslashes($js_string);
}

?>

....

var jsVar = "<?php echo addcslashes($js_string, "\\\"'\n\r"); ?>";

....



Ivan

 

[Garrett Smith]

Revised.

[...]

addcslashes (http://www.php.net/manual/en/function.addcslashes.php)
with list of above mentioned characters would be more appropriate.

addcslashes - I thought that was a typo.

Thanks for the correction.

That PHP example doesn't cover \u2028 and \u2029 line terminators.

One or two simple statements of PHP code in the c.l.js FAQ seems
reasonable. Much more than that would be inappropriate. Is it necessary
for the example to include get_magic_quotes_gpc() call? Would this do?

<?php echo addcslashes($str,"\\\'\"\n\r\u2028\u2029"); ?>

 

[Garrett Smith]

<?php echo addcslashes($str,"\\\'\"\n\r\u2028\u2029"); ?>

I meant: \\u2028\\u2029, but it looks like PHP strings support those
characters, normally. I don't really know much about PHP.

<?php echo addcslashes($str,"\\\'\"\n\r"); ?>

| How do I get a jsp/php variable into client-side javascript?
|
|
| Use a server-side language to generate the javascript.
|
| Certain characters of ECMAScript strings must be escaped by backslash.
| These include quote marks, backslash, and line terminators.
|
| JSP Example, using Apache Commons:
org.apache.commons.lang.StringEscapeUtils
|
| var jsVar = "<%= StringEscapeUtils.escapeJavaScript(str) %>";
|
| PHP example using addcslashes:
|
| var jsVar = <?php echo addcslashes($str,"\\\'\"\n\r\\u2028\\u2029");?>
|
| * <example/addcslashes.php>
| * <http://php.net/manual/en/function.addcslashes.php>
| * <http://commons.apache.org/lang/>

 

[Garrett Smith]

[...]
| var jsVar = <?php echo addcslashes($str,"\\\'\"\n\r\\u2028\\u2029");?>
|

Sorry, that should omit the last two:
| var jsVar = <?php echo addcslashes($str,"\\\'\"\n\r");?>

 

[Ivan S]

Is it necessary for the example to include get_magic_quotes_gpc() call?

No. Unescaping makes sense if data (string) is comming from HTTP POST,
GET or COOKIE and PHP has magic quotes on (which are deprecated from
5.3 version). You can put example without it, developers that has that
configuration option on should know what they need to do first.



Ivan