On 12.7.2009, at 7.19, Dave Rolsky wrote: > the point is that you don't want HTML > escaping for js.
Except when the javascript is inside HTML. Then you need both. $str = "I <3 you, Meller's Mongoose"; <p onclick=" alert( '<% $str | h, js %>' ); ">click me</p> <p onclick=" alert( 'I <3 you, Meller\'s Mongoose' ); ">click me</p> Note that this does not apply to the contents of <script> and <style> tags for HTML (HTML 3.2 defines their contents as CDATA), but does apply to XHTML. http://stackoverflow.com/questions/779959/is-it-necessary-to-escape-character-and-for-javascript-string/907990#907990 Random musing: The "javascript" escaper should probably enclose the string in single quotes. This is safer, as the developer does not have to remember to do that himself. <p onclick="alert(<% $str | h, j %>)"> ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
