How to Escape a String Inside JavaScript Code Inside an Onclick Handler

How do I escape a string inside JavaScript code inside an onClick handler?

In JavaScript you can encode single quotes as "\x27" and double quotes as "\x22". Therefore, with this method you can, once you're inside the (double or single) quotes of a JavaScript string literal, use the \x27 \x22 with impunity without fear of any embedded quotes "breaking out" of your string.

\xXX is for chars < 127, and \uXXXX for Unicode, so armed with this knowledge you can create a robust JSEncode function for all characters that are out of the usual whitelist.

For example,

<a href="#" onclick="SelectSurveyItem('<% JSEncode(itemid) %>', '<% JSEncode(itemname) %>'); return false;">Select</a>

How to escape quotes in a string that assigns a method to onclick with a parameter?

This looks like a job for stripslashes(). Note however, that you can not use the same double quote (") or single qoutes (') for both the attribute assignment AND the string definition for the parameter. Therefore you want your result to look something like: onclick="removeTag('naruto')".

If you have them as double quotes in your original string (i.e. $row['description']), you can replace those, all put together like this:

echo 'blabla <a href="#" onclick="removeTag(' . str_replace('"', '\'', stripslashes($row['description'])) . ')">';

A tiny bit simpler approach might be to just trim double quotes and add your own single qoutes:

echo 'blabla <a href="#" onclick="removeTag(\'' . trim(stripslashes($row['description']), '"') . '\')">';

What needs to be escaped in an onclick event taking a string?

quotes (") should be replaced with ". And backslash (\) prepended to '.

onclick="eventBox('This is the string \' // " "')"

escape parameters on onclick event doesnt work

Try this. As description seems to be a string value you need to surround it with qoutes.

row.insertCell(0).innerHTML = '<input type="button" value = "ShowDescription"  onclick="showDescription(\'' + description + '\');">';

Escaping double quotes in JavaScript onClick event handler

Did you try

" or \x22

instead of

\"

escape character is not working when sending as argument to onclick function

In instances like this you can try changing your quotes around;

control += "<button class='gray-button' onclick='diagBtnClick("${yesStepIntent}", "${yesBtnLbl}")'>"${yesBtnLbl}"</button>";

But this will break if you use " in your variable.

EDIT: Or you can try;

control += `<button class='gray-button' onclick='diagBtnClick("${yesStepIntent}", "${yesBtnLbl}")'>${yesBtnLbl}</button>`;

Pass a string parameter in an onclick function

It looks like you're building DOM elements from strings. You just need to add some quotes around result.name:

'<input type="button" onClick="gotoNode(\'' + result.name + '\')" />'

You should really be doing this with proper DOM methods though.

var inputElement = document.createElement('input');
inputElement.type = "button"
inputElement.addEventListener('click', function(){
    gotoNode(result.name);
});

document.body.appendChild(inputElement);

Just be aware that if this is a loop or something, result will change before the event fires and you'd need to create an additional scope bubble to shadow the changing variable.