How to Escape Apostrophe or Quotes on a Jsp (Used by JavaScript)

How to escape apostrophe or quotes on a JSP (used by JavaScript)

Use the Apache StringEscapeUtils.escapeJavaScript function.

Escapes the characters in a String using JavaScript String rules.

Escapes any values it finds into their JavaScript String form.
Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)

So a tab becomes the characters '\\' and 't'.

escape single quotes inside onclick method JSP generated text

1. Use

   ${fn:replace(note.getRequiredInfoFieldValue('note-text'), /\"/g,'\"')}

   inside onclick directly.

So that it will replace the single or double quotes with a escape sequence character.

Obviously you need to import jstl lib using:

<%@ taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix = "fn" %>

2. Use

<c:out value="${note.getRequiredInfoFieldValue('note-text')}"/> directly inside onclick.

3. Use ${fn:escapeXml(note.getRequiredInfoFieldValue('note-text'))}

Third approach is most recommended because you need not to put manual efforts to escape particular symbols.

To escape character in javascript/jsp

Can you fix it using the technique mentioned in https://stackoverflow.com/a/1473192/476786 as suggested by @xdazz.

If not, try using double quotes as follows:

var description = "${requestScope.description}";

---

Edit: OP says that description could also potentially contain " (double quotes):

In that case, you could replace the double quotes before you output the string as:

var description = "${requestScope.description.replace("\"", "''")}";

This would replace all instances of double quotes with 2 single quotes.

---

Please note that my jsp isvery weak, and as such the code sample above might need a tweak or two... :)

How to escape JavaScript in JSP?

The forward slash is not an escape character. That's the backslash.

${fn:replace(Desc, "'", "\\'")}

(yes, it's been presented twice, because that's also an escape character in Java!)

However, you don't only need to repace ' by \', you also need to replace \n (newlines) by \\n. The string is been printed over multiple lines, which makes it also an invalid JS string variable. Your final result must basically look like this:

var itemNameList = ''
    + '\nWeyland Estate Santa Barbara Pinot Noir'
    + '\nRaymond \'Prodigal\' North Coast Cabernet Sauvignon'
    + '\nChateau Haute Tuque'; 

(please note that the syntax highlighter agrees on me here but not on yours)

There are however much more possible special characters which needs to be escaped. They are all covered by Apache Commons Lang StringEscapeUtils#escapeEcmaScript(). Much easier is to create a custom EL function which calls exactly that method. If not done yet, download and drop commons-lang.jar in /WEB-INF/lib. Then create a /WEB-INF/functions.tld file like follows:

<?xml version="1.0" encoding="UTF-8" ?>
<taglib 
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd"
    version="2.1">

    <display-name>Custom Functions</display-name>    
    <tlib-version>1.0</tlib-version>
    <uri>http://example.com/functions</uri>

    <function>
        <name>escapeJS</name>
        <function-class>org.apache.commons.lang3.StringEscapeUtils</function-class>
        <function-signature>java.lang.String escapeEcmaScript(java.lang.String)</function-signature>
    </function>
</taglib>

So that you can use it as follows:

<%@taglib prefix="util" uri="http://example.com/functions" %>
...
${util:escapeJS(Desc)}

Passing apostrophe in javascript function

why not just do this:

onclick=showURL("${result.url}");

function showURL (result_url) {
    alert("<c:out value='"+ result_url + "' />");
}

then you don't have to worry about escaping at all.

-tjw

---

Related Topics