How to escape JavaScript in JSP?
The forward slash is not an escape character. That's the backslash.
${fn:replace(Desc, "'", "\\'")}
(yes, it's been presented twice, because that's also an escape character in Java!)
However, you don't only need to repace '
by \'
, you also need to replace \n
(newlines) by \\n
. The string is been printed over multiple lines, which makes it also an invalid JS string variable. Your final result must basically look like this:
var itemNameList = ''
+ '\nWeyland Estate Santa Barbara Pinot Noir'
+ '\nRaymond \'Prodigal\' North Coast Cabernet Sauvignon'
+ '\nChateau Haute Tuque';
(please note that the syntax highlighter agrees on me here but not on yours)
There are however much more possible special characters which needs to be escaped. They are all covered by Apache Commons Lang StringEscapeUtils#escapeEcmaScript()
. Much easier is to create a custom EL function which calls exactly that method. If not done yet, download and drop commons-lang.jar
in /WEB-INF/lib
. Then create a /WEB-INF/functions.tld
file like follows:
<?xml version="1.0" encoding="UTF-8" ?>
<taglib
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd"
version="2.1">
<display-name>Custom Functions</display-name>
<tlib-version>1.0</tlib-version>
<uri>http://example.com/functions</uri>
<function>
<name>escapeJS</name>
<function-class>org.apache.commons.lang3.StringEscapeUtils</function-class>
<function-signature>java.lang.String escapeEcmaScript(java.lang.String)</function-signature>
</function>
</taglib>
So that you can use it as follows:
<%@taglib prefix="util" uri="http://example.com/functions" %>
...
${util:escapeJS(Desc)}
How to escape apostrophe or quotes on a JSP (used by JavaScript)
Use the Apache StringEscapeUtils.escapeJavaScript function.
Escapes the characters in a String using JavaScript String rules.
Escapes any values it finds into their JavaScript String form.
Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)
So a tab becomes the characters '\\' and 't'.
To escape character in javascript/jsp
Can you fix it using the technique mentioned in https://stackoverflow.com/a/1473192/476786 as suggested by @xdazz.
If not, try using double quotes as follows:
var description = "${requestScope.description}";
Edit: OP says that description
could also potentially contain " (double quotes):
In that case, you could replace the double quotes before you output the string as:
var description = "${requestScope.description.replace("\"", "''")}";
This would replace all instances of double quotes with 2 single quotes.
Please note that my jsp
isvery weak, and as such the code sample above might need a tweak or two... :)
Escaping characters when passing jsp var to js function
Implement a static method using Apache commons-lang StringEscapeUtils.escapeEcmaScript()
(or reimplement it yourself) to escape the special characters (single and double quotes, newlines, tabs), then make this function an EL function, and use this EL function from inside the JSP:
new SomeFunction('${myFn:escapeJs(foo)}');
See the end of this page for how to create an EL function.
Related Topics
Is There a JSON Equivalent of Xquery/Xpath
What Do Curly Braces Inside of Function Parameter Lists Do in Es6
How to Check in JavaScript If One Element Is Contained Within Another
JavaScript Hard Refresh of Current Page
Generate PDF from HTML Using PDFmake in Angularjs
How to Synchronously Determine a JavaScript Promise's State
How to Offset the Center Point in Google Maps API V3
How to Select Option in Drop Down Protractorjs E2E Tests
Window.Localstorage VS Chrome.Storage.Local
Set Value of Input Using JavaScript Function
Check If String Contains Only Digits
How to Run Two Jquery Animations Simultaneously
How to Execute Shell Command in JavaScript
JavaScript - Get the First Day of the Week from Current Date