I'm off to bed, but since you still haven't posted the JSON data your
server is returning, I'll tell you what I'm pretty sure is wrong.
Apologies for any lack of clarity, I'm rushing.  I suspect your JSON
looks like this:

Example #1:
* * * *
   "message":  "This is a \'message\' with \"quotes\" in it."
* * * *

That JSON snippet defines a property, "message", with a string value
that DOES NOT CONTAIN ANY BACKSLASHES.  The string contains quotes.
The *value* of the string is:

    This is a 'message' with "quotes" in it.

Now, that's entirely correct and as it should be.  Where I think
you're going wrong is where you're using it.  Say we have the JSON
data from Example 1 above decoded and stored in a variable called
'json'.  If I wanted to show an alert with that text, I could use the
*value* of json.message to do that:


That's fine.  But setting innerHTML is different.  You're setting a
string with the textual representation of the HTML and JavaScript you
want to put in the element.  That string will be decoded and
interpreted by the browser.  It needs to be the textual representation
of what you want.  So if I wanted to create a click handler to show
that alert, this would be wrong:

    element.innerHTML = "<div onclick=\"alert('" + json.message + "');
\" />"; // <= WRONG

Let's deconstruct why.  First, let's substitute in the value of

    element.innerHTML = "<div onclick=\"alert('This is a \'message\'
with \"quotes\" in it.');\" />";

Remember that the right-hand side of that is a string.  Let's look at
the value of that string:

    <div onclick="alert('This is a 'message' with "quotes" in it.');" /

...which is, of course, wrong.

So what do you do?  Well, what *I* would do is not use an onclick
handler in the first place.  Use Event.observe instead:

    element.innerHTML = "<div id='myDiv' />";
    Event.observe.defer('myDiv', 'click', function() {

Creating handlers via innerHTML is (as you've discovered!) complicated
and unpleasant.  But if you *really* want to do that, you'll have to
escape the string.  I haven't had to do that in JavaScript for so long
I don't recall whether it has a built-in for it (it's not "escape()",
sadly) or whether Prototype has a method for it (not seeing on one
first glance).  It's probably not a complicated regex, basically put a
backslash in front of all chars in the '\x00' to '\x1f' range
(inclusive) and in front of single quote ('), double quote ("), and
backslash (/).

T.J. Crowder
tj / crowder software / com

On Oct 9, 10:07 pm, "suki rosen" <[EMAIL PROTECTED]> wrote:
> "Why are you printing the variable contents instead of using the variables
> directly?"
> if the variable has been printed to the browser, then I'm not aware of the
> difference (between a variable and the value of the variable).  I mean, once
> I swap something out using innerHTML, it doesn't matter if it's a variable
> or not as the value of the variable is what gets printed.  In case I was not
> clear, the errors are thrown when the user clicks on the element with an
> onclick - as opposed to when the page is getting built.
> also - I am using Ajax.Request to get new user messages.  These messages are
> represented by a user thumbnail (for example) and there's an onclick on the
> thumbnail that loads the message.
> so in reference to "Are you using javascript to print out the onmouseover
> text, or a server-side language?"  - yes, I am using javascript to print the
> mouseover text because it's coming from the server via an ajax interaction
> and not on a page load.
> I can certainly post code, but maybe I was more clear about the situation
> here.
> On Thu, Oct 9, 2008 at 4:58 PM, Hector Virgen <[EMAIL PROTECTED]> wrote:
> > Why are you printing the variable contents instead of using the variables
> > directly? Are you using javascript to print out the onmouseover text, or a
> > server-side language? Can you post some sample code? Thanks
> > -Hector
> > On Thu, Oct 9, 2008 at 1:52 PM, suki rosen <[EMAIL PROTECTED]> wrote:
> >> for example, here's a user description:  'I'll take you down to china
> >> town'
> >> I want to print onclick="function('I'll take you down to china town')"
> >> or for rollovers
> >> onmouseover="tool_tip('I'll take you down to china town', 100);"
> >> both of those throw errors. obviously I need it to work for double quotes
> >> or single quotes.
> >> On Thu, Oct 9, 2008 at 4:38 PM, Hector Virgen <[EMAIL PROTECTED]> wrote:
> >>> Maybe I'm not understanding your implementation, but why do the quotes
> >>> have to be escaped? If you are passing the data to a function, and is
> >>> already in the form of a variable, then you do not need to escape it. Can
> >>> you give me an example of a JSON response?
> >>> -Hector
> >>> On Thu, Oct 9, 2008 at 1:21 PM, suki rosen <[EMAIL PROTECTED]> wrote:
> >>>> personally, I would consider this a serious drawback to using json - as
> >>>> opposed to xml, which does not display this behavior.  I'm really hoping
> >>>> there's a workaround here, but I feel like I may drop prototype in favor 
> >>>> of
> >>>> a library that has better xml support.
> >>>>> On Thu, Oct 9, 2008 at 3:53 PM, Hector Virgen <[EMAIL PROTECTED]>wrote:
> >>>>>> Is there a reason you need the data to remain escaped while being used
> >>>>>> by javascript? Unless your javascript is interacting directly with the
> >>>>>> database, you should not need to keep your data escaped. Once 
> >>>>>> javascript is
> >>>>>> done with the data, and sends it back to the server, the server should 
> >>>>>> then
> >>>>>> re-escape the unescaped data before inserting into the database.
> >>>>>> -Hector
> >>>>>> On Thu, Oct 9, 2008 at 11:22 AM, pancakes <[EMAIL PROTECTED]>wrote:
> >>>>>>> Hi.
> >>>>>>> I'm using prototype for my ajax routines.  I'm returning a json
> >>>>>>> object
> >>>>>>> from the server containing user information.  Some of the information
> >>>>>>> contains user descriptions with quotes and other weird characters
> >>>>>>> that
> >>>>>>> need to be escaped.
> >>>>>>> for example
> >>>>>>> 'I'm going to the store, don't 'cha know?'
> >>>>>>> is stored in my db as
> >>>>>>> 'I\'m going to the store, don\'t \'cha know?'
> >>>>>>> but when I get my json object back from the server, I need to eval()
> >>>>>>> it.  This strips the slashes. I tried prototype's built in json
> >>>>>>> parser
> >>>>>>> next (evalJSON();) with the same results.
> >>>>>>> Is there any way to preserve my escape characters and use json for
> >>>>>>> data structuring??
> >>>>>>> I am aware that javascript has find/replace functions, but trusting
> >>>>>>> the escaping of problem characters to the browser doesn't appeal to
> >>>>>>> me.  I want to escape the data on the server.  also, this needs to
> >>>>>>> work for single or double quotes, as these are user input and I want
> >>>>>>> it to work regardless of the data.
> >>>>>>> thanks!
You received this message because you are subscribed to the Google Groups 
"Prototype & script.aculo.us" group.
To post to this group, send email to prototype-scriptaculous@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 

Reply via email to