How to Escape JavaScript in Jsp

How to escape JavaScript in JSP?

The forward slash is not an escape character. That's the backslash.

${fn:replace(Desc, "'", "\\'")}

(yes, it's been presented twice, because that's also an escape character in Java!)

However, you don't only need to repace ' by \', you also need to replace \n (newlines) by \\n. The string is been printed over multiple lines, which makes it also an invalid JS string variable. Your final result must basically look like this:

var itemNameList = ''
    + '\nWeyland Estate Santa Barbara Pinot Noir'
    + '\nRaymond \'Prodigal\' North Coast Cabernet Sauvignon'
    + '\nChateau Haute Tuque'; 

(please note that the syntax highlighter agrees on me here but not on yours)

There are however much more possible special characters which needs to be escaped. They are all covered by Apache Commons Lang StringEscapeUtils#escapeEcmaScript(). Much easier is to create a custom EL function which calls exactly that method. If not done yet, download and drop commons-lang.jar in /WEB-INF/lib. Then create a /WEB-INF/functions.tld file like follows:

<?xml version="1.0" encoding="UTF-8" ?>
<taglib 
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd"
    version="2.1">

    <display-name>Custom Functions</display-name>    
    <tlib-version>1.0</tlib-version>
    <uri>http://example.com/functions</uri>

    <function>
        <name>escapeJS</name>
        <function-class>org.apache.commons.lang3.StringEscapeUtils</function-class>
        <function-signature>java.lang.String escapeEcmaScript(java.lang.String)</function-signature>
    </function>
</taglib>

So that you can use it as follows:

<%@taglib prefix="util" uri="http://example.com/functions" %>
...
${util:escapeJS(Desc)}

How to escape apostrophe or quotes on a JSP (used by JavaScript)

Use the Apache StringEscapeUtils.escapeJavaScript function.

Escapes the characters in a String using JavaScript String rules.

Escapes any values it finds into their JavaScript String form.
Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)

So a tab becomes the characters '\\' and 't'.

To escape character in javascript/jsp

Can you fix it using the technique mentioned in https://stackoverflow.com/a/1473192/476786 as suggested by @xdazz.

If not, try using double quotes as follows:

var description = "${requestScope.description}";

---

Edit: OP says that description could also potentially contain " (double quotes):

In that case, you could replace the double quotes before you output the string as:

var description = "${requestScope.description.replace("\"", "''")}";

This would replace all instances of double quotes with 2 single quotes.

---

Please note that my jsp isvery weak, and as such the code sample above might need a tweak or two... :)

Escaping characters when passing jsp var to js function

Implement a static method using Apache commons-lang StringEscapeUtils.escapeEcmaScript() (or reimplement it yourself) to escape the special characters (single and double quotes, newlines, tabs), then make this function an EL function, and use this EL function from inside the JSP:

new SomeFunction('${myFn:escapeJs(foo)}');

See the end of this page for how to create an EL function.

---

Related Topics