Discussion:
[Stripes-users] stripes tag for escaped string literal in JavaScript
William Krick
2016-06-28 18:05:47 UTC
Permalink
I've run into an interesting situation with un-escaped double quotes in
JavaScript in a JSP.


I have some JavaScript code like this...


var companyName = "${actionBean.company.name}";


...which breaks if the company name contains double quotes.

The same situation can happen if the company name contains a single quote
and the javascript code quotes using single quotes...

var companyName = '${actionBean.company.name}';


The only workaround I've been able to come up with involves adding new
methods to the company object that I can call to get a JavaScript escaped
version of the string using Apache
commons StringEscapeUtils.escapeJavaScript().
James Jory
2016-06-28 18:54:33 UTC
Permalink
We wrote a custom taglib function called escapeJS to handle this from our JSPs and to keep JSP-specific code from polluting our model classes.



var companyName = '${vt:escapeJS(actionBean.company.name)}';



It just wraps a call to StringEscapeUtils.escapeEcmaScript().



-James



From: William Krick <***@3feetunder.com>
Reply-To: Stripes Users List <stripes-***@lists.sourceforge.net>
Date: Tuesday, June 28, 2016 at 11:05 AM
To: Stripes Users List <stripes-***@lists.sourceforge.net>
Subject: [Stripes-users] stripes tag for escaped string literal in JavaScript



I've run into an interesting situation with un-escaped double quotes in JavaScript in a JSP.





I have some JavaScript code like this...





var companyName = "${actionBean.company.name}";





...which breaks if the company name contains double quotes.



The same situation can happen if the company name contains a single quote and the javascript code quotes using single quotes...



var companyName = '${actionBean.company.name}';





The only workaround I've been able to come up with involves adding new methods to the company object that I can call to get a JavaScript escaped version of the string using Apache commons StringEscapeUtils.escapeJavaScript().















------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape_______________________________________________ Stripes-users mailing list Stripes-***@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Stan Broné
2016-06-29 10:00:22 UTC
Permalink
Personally I like to output these values in a hidden form field, or a
span with style "display: none;". And then grab the values from in
JavaScript by using DOM functions.

It might not be as efficient, but I think the code is a bit cleaner
and it solves your problem.

-Stan
Post by James Jory
We wrote a custom taglib function called escapeJS to handle this
from our JSPs and to keep JSP-specific code from polluting our model
classes.
var companyName = '${vt:escapeJS(actionBean.company.name)}';
It just wraps a call to StringEscapeUtils.escapeEcmaScript().
-James
Date: Tuesday, June 28, 2016 at 11:05 AM
Subject: [Stripes-users] stripes tag for escaped string literal in JavaScript
I've run into an interesting situation with un-escaped double quotes
in JavaScript in a JSP.
I have some JavaScript code like this...
var companyName = "${actionBean.company.name}";
...which breaks if the company name contains double quotes.
The same situation can happen if the company name contains a single
quote and the javascript code quotes using single quotes...
var companyName = '${actionBean.company.name}';
The only workaround I've been able to come up with involves adding
new methods to the company object that I can call to get a
JavaScript escaped version of the string using Apache commons
StringEscapeUtils.escapeJavaScript().
https://lists.sourceforge.net/lists/listinfo/stripes-users
Juan Pablo Santos Rodríguez
2016-06-29 10:34:53 UTC
Permalink
Hi,

assuming your javascript code is on the JSP instead of on a .js file, you
can use the standard <c:out /> tag or ${fn:escapeXml} function, something
like
var companyName = "<c:out value="${actionBean.company.name}"
escapeXml="true" />";

should do the trick. I'm more leaned towards c:out instead of fn:escapeXml
as the former also allows setting a default value if the evaluated
expression is null.


HTH,
juan pablo
Post by Stan Broné
Personally I like to output these values in a hidden form field, or a
span with style "display: none;". And then grab the values from in
JavaScript by using DOM functions.
It might not be as efficient, but I think the code is a bit cleaner
and it solves your problem.
-Stan
Post by James Jory
We wrote a custom taglib function called escapeJS to handle this
from our JSPs and to keep JSP-specific code from polluting our model
classes.
var companyName = '${vt:escapeJS(actionBean.company.name)}';
It just wraps a call to StringEscapeUtils.escapeEcmaScript().
-James
Date: Tuesday, June 28, 2016 at 11:05 AM
Subject: [Stripes-users] stripes tag for escaped string literal in
JavaScript
Post by James Jory
I've run into an interesting situation with un-escaped double quotes
in JavaScript in a JSP.
I have some JavaScript code like this...
var companyName = "${actionBean.company.name}";
...which breaks if the company name contains double quotes.
The same situation can happen if the company name contains a single
quote and the javascript code quotes using single quotes...
var companyName = '${actionBean.company.name}';
The only workaround I've been able to come up with involves adding
new methods to the company object that I can call to get a
JavaScript escaped version of the string using Apache commons
StringEscapeUtils.escapeJavaScript().
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape_______________________________________________
Post by James Jory
https://lists.sourceforge.net/lists/listinfo/stripes-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Stripes-users mailing list
https://lists.sourceforge.net/lists/listinfo/stripes-users
William Krick
2016-06-29 13:17:36 UTC
Permalink
That's actually a really good idea. I hadn't considered using a hidden
field or span. Thanks for the tip.
Post by Stan Broné
Personally I like to output these values in a hidden form field, or a
span with style "display: none;". And then grab the values from in
JavaScript by using DOM functions.
It might not be as efficient, but I think the code is a bit cleaner
and it solves your problem.
-Stan
Post by James Jory
We wrote a custom taglib function called escapeJS to handle this
from our JSPs and to keep JSP-specific code from polluting our model
classes.
var companyName = '${vt:escapeJS(actionBean.company.name)}';
It just wraps a call to StringEscapeUtils.escapeEcmaScript().
-James
Date: Tuesday, June 28, 2016 at 11:05 AM
Subject: [Stripes-users] stripes tag for escaped string literal in
JavaScript
Post by James Jory
I've run into an interesting situation with un-escaped double quotes
in JavaScript in a JSP.
I have some JavaScript code like this...
var companyName = "${actionBean.company.name}";
...which breaks if the company name contains double quotes.
The same situation can happen if the company name contains a single
quote and the javascript code quotes using single quotes...
var companyName = '${actionBean.company.name}';
The only workaround I've been able to come up with involves adding
new methods to the company object that I can call to get a
JavaScript escaped version of the string using Apache commons
StringEscapeUtils.escapeJavaScript().
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape_______________________________________________
Post by James Jory
https://lists.sourceforge.net/lists/listinfo/stripes-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Stripes-users mailing list
https://lists.sourceforge.net/lists/listinfo/stripes-users
Loading...