This question already has answers here:
How do I pass variables and data from PHP to JavaScript?
(19 answers)
Closed 8 years ago.
The community reviewed whether to reopen this question 1 year ago and left it closed:
Original close reason(s) were not resolved
What is the easiest way to encode a PHP string for output to a JavaScript variable?
I have a PHP string which includes quotes and newlines. I need the contents of this string to be put into a JavaScript variable.
Normally, I would just construct my JavaScript in a PHP file, à la:
<script>
var myvar = "<?php echo $myVarValue;?>";
</script>
However, this doesn't work when $myVarValue contains quotes or newlines.
Expanding on someone else's answer:
<script>
var myvar = <?php echo json_encode($myVarValue); ?>;
</script>
Using json_encode() requires:
PHP 5.2.0 or greater
$myVarValue encoded as UTF-8 (or US-ASCII, of course)
Since UTF-8 supports full Unicode, it should be safe to convert on the fly.
Note that because json_encode escapes forward slashes, even a string that contains </script> will be escaped safely for printing with a script block.
encode it with JSON
function escapeJavaScriptText($string)
{
return str_replace("\n", '\n', str_replace('"', '\"', addcslashes(str_replace("\r", '', (string)$string), "\0..\37'\\")));
}
I have had a similar issue and understand that the following is the best solution:
<script>
var myvar = decodeURIComponent("<?php echo rawurlencode($myVarValue); ?>");
</script>
However, the link that micahwittman posted suggests that there are some minor encoding differences. PHP's rawurlencode() function is supposed to comply with RFC 1738, while there appear to have been no such effort with Javascript's decodeURIComponent().
The paranoid version: Escaping every single character.
function javascript_escape($str) {
$new_str = '';
$str_len = strlen($str);
for($i = 0; $i < $str_len; $i++) {
$new_str .= '\\x' . sprintf('%02x', ord(substr($str, $i, 1)));
}
return $new_str;
}
EDIT: The reason why json_encode() may not be appropriate is that sometimes, you need to prevent " to be generated, e.g.
<div onclick="alert(???)" />
<script>
var myVar = <?php echo json_encode($myVarValue); ?>;
</script>
or
<script>
var myVar = <?= json_encode($myVarValue) ?>;
</script>
Micah's solution below worked for me as the site I had to customise was not in UTF-8, so I could not use json; I'd vote it up but my rep isn't high enough.
function escapeJavaScriptText($string)
{
return str_replace("\n", '\n', str_replace('"', '\"', addcslashes(str_replace("\r", '', (string)$string), "\0..\37'\\")));
}
Don't run it though addslashes(); if you're in the context of the HTML page, the HTML parser can still see the </script> tag, even mid-string, and assume it's the end of the JavaScript:
<?php
$value = 'XXX</script><script>alert(document.cookie);</script>';
?>
<script type="text/javascript">
var foo = <?= json_encode($value) ?>; // Use this
var foo = '<?= addslashes($value) ?>'; // Avoid, allows XSS!
</script>
You can insert it into a hidden DIV, then assign the innerHTML of the DIV to your JavaScript variable. You don't have to worry about escaping anything. Just be sure not to put broken HTML in there.
You could try
<script type="text/javascript">
myvar = unescape('<?=rawurlencode($myvar)?>');
</script>
Don’t. Use Ajax, put it in data-* attributes in your HTML, or something else meaningful. Using inline scripts makes your pages bigger, and could be insecure or still allow users to ruin layout, unless…
… you make a safer function:
function inline_json_encode($obj) {
return str_replace('<!--', '<\!--', json_encode($obj));
}
htmlspecialchars
Description
string htmlspecialchars ( string $string [, int $quote_style [, string $charset [, bool $double_encode ]]] )
Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead.
This function is useful in preventing user-supplied text from containing HTML markup, such as in a message board or guest book application.
The translations performed are:
* '&' (ampersand) becomes '&'
* '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
* ''' (single quote) becomes ''' only when ENT_QUOTES is set.
* '<' (less than) becomes '<'
* '>' (greater than) becomes '>'
http://ca.php.net/htmlspecialchars
I'm not sure if this is bad practice or no, but my team and I have been using a mixed html, JS, and php solution. We start with the PHP string we want to pull into a JS variable, lets call it:
$someString
Next we use in-page hidden form elements, and have their value set as the string:
<form id="pagePhpVars" method="post">
<input type="hidden" name="phpString1" id="phpString1" value="'.$someString.'" />
</form>
Then its a simple matter of defining a JS var through document.getElementById:
<script type="text/javascript" charset="UTF-8">
var moonUnitAlpha = document.getElementById('phpString1').value;
</script>
Now you can use the JS variable "moonUnitAlpha" anywhere you want to grab that PHP string value.
This seems to work really well for us. We'll see if it holds up to heavy use.
If you use a templating engine to construct your HTML then you can fill it with what ever you want!
Check out XTemplates.
It's a nice, open source, lightweight, template engine.
Your HTML/JS there would look like this:
<script>
var myvar = {$MyVarValue};
</script>
Related
I have a string 90001 90002. I need to see which html special char is represented in the empty space. (It could be an empty space - or it could be a textual line-break masquerading as a space in HTML see here. Maybe other possibilities that I'm not aware of..)
I would like to echo a string and show the empty spaces as html char (e.g. $result = "90001 90002").
I've tried using html_entities but that doesn't cover spaces. Also neither does htmlspecialchars.
How would I go about doing this?
If possible I would like a purely PHP & html solution. If necessary - CSS. And if impossible otherwise, javascript will have to do..
Just an out-of-box thinking. I had the same issue but looked into using JavaScript's encodeURIComponent() function:
$(function () {
$("div").html(function () {
return encodeURIComponent($(this).html());
});
});
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<div>90001 90002</div>
Used jQuery as I am kinda lazy. You can do the same in JavaScript this way:
<div>90001 90002</div>
<script>
var div = document.querySelector("div");
div.innerHTML = encodeURIComponent(div.innerHTML);
</script>
Just letting you know that this is better to handle in client side than in the server side.
Update 2: Getting the HTML content and updating the text of the HTML:
$(function () {
$("div").text(function () {
return $(this).html().replace(/[\u00A0-\u9999<>\&]/gim, function(i) {
return '&#'+i.charCodeAt(0)+';';
});
});
});
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<div>90001—90002</div>
Something like this...
<?php
$mystring = "90001 90002";
$mystring = str_replace(" "," ",$mystring);
echo $mystring;
?>
I hope it helps
function removeWhiteSpace($text)
{
$text = preg_replace('/[\t\n\r\0\x0B]/', '', $text);
$text = preg_replace('/([\s])\1+/', ' ', $text);
$text = trim($text);
return $text;
}
Editing the Answer :
if you need to do it using PHP , Use urlencode function , which would hep to resolve it
<?php
$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
?>
But they have set backs which is mentioned in the notes section of the documentation.
http://php.net/manual/en/function.urlencode.php
You can also use functions like htmlentities,rawurlencode in php .
if you want to use it in javascript , You can use escape function.
https://www.w3schools.com/jsref/jsref_escape.asp
The following works just fine:
var sFirstText=<?php include("first2.html"); ?>;
when first2.html looks like this INCLUDING the double quotes:
"<p>sentence one</p><p>sentence two</p>"
However, if first2.html looks like:
"<p>sentence one</p>
<p>sentence two</p>"
I get an unterminated string literal message. I hope to figure out how I can include the html without first having to remove the carriage return/line feed sequences.
Also, if I remove the double quotes and do:
var sFirstText="<?php include("first2.html"); ?>";
that won't work, returning a message I haven't yet been able to comprehend.
Basically I want to get simple html formatting into a field without having to remove the cr/lf sequences.
Try using a \ at the end of the line to continue the string to the next line.
Javascript can not handle those newlines. You might wanna open the file, read contents and replace those with empty spaces instead.
Also, while getting the source content, you will need to escape the type of quote you're using to wrap it.
Here's what I would do.
function contents($file, $wrappingQuote='\'') {
$fh = fopen($file,'r');
$contents = fread($fh,filesize($file));
fclose($fh);
echo preg_replace('~\'~','\\'.$wrappingQuote,preg_replace('~\r?\n~','',$contents));
}
(…)
var str = '<?php contents('first2.html') ?>';
// or
var str = "<?php contents('first2.html','"') ?>";
So here's the problem. I have data in a MySQL DB as text. The data is inserted via mysql_real_escape_string. I have no problem with the data being displayed to the user.
At some point I want to pass this data into a javascript function called foo.
// This is a PHP block of code
// $someText is text retrieved from the database
echo "<img src=someimage.gif onclick=\"foo('{$someText}')\">";
If the data in $someText has line breaks in it like:
Line 1
Line 2
Line 3
The javascript breaks because the html output is
<img src=someimage.gif onclick="foo('line1
line2
line3')">
So the question is, how can I pass $someText to my javascript foo function while preserving line breaks and carriage returns but not breaking the code?
===========================================================================================
After using json like this:
echo "<img src=someimage.gif onclick=\"foo($newData)\">";
It is outputting HTML like this:
onclick="foo("line 1<br \/>\r\nline 2");">
Which displays the image followed by \r\nline 2");">
json_encode() is the way to go:
$json = json_encode($someText); # this creates valid JS
$safe = HtmlSpecialChars($json); # this allows it to be used in an HTML attribute
echo "<img src=someimage.gif onclick=\"foo($safe)\">";
You can see a demo here: http://codepad.org/TK45YErZ
If I'm not interpreting badly you may do this:
// This is a PHP block of code
// $someText is text retrieved from the database
echo "<img src=someimage.gif onclick=\"foo('{".trim( preg_replace( '/\s+/', ' ',$someText ) )."}')\">";
You'll save yourself a lot of headaches by pulling the JavaScript out of the HTML:
<img id="myImage" src="someimage.gif"/>
<script type="text/javascript">
var str = <?php echo json_encode($json); ?>;
document.getElementById('myImage').addEventListener(
'click',
function() {
foo(str);
}
);
</script>
Or something similer...
Only json_encode() is enough to escape the new line
echo "<img src=someimage.gif onclick=\"foo(".json_encode($newData).")\">";
Say you have a PHP variable called $description with the following value (that contains quotes and line breaks):
Tromp L'oeil Sheath Dress
You will certainly "trick the eye" of many in this gorgeous illusion. Add it to your fall wardrobe before it disappears.
You want to pass the contents of this variable into a Javascript function that writes that value into an INPUT of type text.
How would you do this? I tried this:
$description = htmlspecialchars ( $product->description, ENT_QUOTES );
However, I get a JS error. I also tried this:
$description = rawurlencode ( $product->description );
This encodes the value like so:
Michael%20Kors%0A%0ATromp%20L%27oeil%20Sheath%20Dress%0A%0AYou%20will%20certainly%20%22trick%20the%20ey%22%20of%20many%20in%20this%20gorgeous%20illusion.%20Add%20it%20to%20your%20fall%20wardrobe%20before%20it%20disappears.%0A%0AAvailable%20in%20Black%2FNude
This value can be passed as a JS variable, but I don't know of a JS function that will cleanly reverse a PHP rawurlencode.
Is there a matching pair of functions that I could use to encode a variable in PHP to allow it to be passed into a JS function -- and then reverse the encoding in JS so that I get the original value of the PHP variable?
EDIT: To clarify the question and reply to comments, here is some test code:
<?php
$str =<<<EOT
Tromp L'oeil Sheath Dress
You will certainly "trick the eye" of many in this gorgeous illusion. Add it to your fall wardrobe before it disappears.
EOT;
echo 'here is the string: <pre>' . $str . '</pre>';
?>
<script type="text/javascript">
<?php
// this does not work with JS as i get an unterminated string literal if i just use addslashes in the following commented-out line
// echo 'alert(\'' . addslashes($str) . '\');';
// this works with JS (the alert activates) but how do i un-rawurlencode in JS?
// echo 'alert(\'' . rawurlencode($str) . '\');';
// this does not work with JS, because of the line breaks
echo 'alert(\'' . htmlspecialchars ($str, ENT_QUOTES) . '\');';
?>
</script>
simplest would be to use json_encode()
I ran into problems using some of the answers proposed here, including issues with line breaks and decoding certain html entitites like /. I ended up using rawurlencode (in PHP) and decodeURIComponent (in Javascript) as matching functions to encode/decode the string so it could be passed as a JS variable. Here is working code for anybody else running into this problem.
<?php
$str =<<<EOT
Tromp L'oeil Sheath Dress
You will certainly "trick the eye" of many in this gorgeous illusion. Add it to your fall wardrobe before it disappears.
Available in Black/Nude
EOT;
echo 'here is the string: <pre>' . $str . '</pre>';
?>
<p>below is the variable doc.write'd after being rawurlencod'ed in PHP then decodeURIComponent'ed in JS:</p>
<script type="text/javascript">
<?php
echo 'document.write(decodeURIComponent("'. rawurlencode($str).'"));';
?>
You can use json_encode if available. It encodes the string according to the JSON data format that is a subset of JavaScript; so any JSON is also valid JavaScript.
<script type="text/javascript">
<?php
echo 'alert('. json_encode($str).');';
?>
</script>
Otherwise try PHP’s rawurlencode and decode it with JavaScript’s decodeURI:
<script type="text/javascript">
<?php
echo 'alert(decodeURI("'. rawurlencode($str).'"));';
?>
</script>
Json is the solution.
See sample code
Two pages to demonstrate
First Page json.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
</head>
<body>
<script type="text/javascript">
$(document).ready(function() {
// This is more like it!
$('#submit').live('click', function() {
var id=$("#id").attr("value");
$.getJSON("json-call.php", {id:id}, function callback(data) {
$("#list").html("var1:"+data['var1']+"<br/>"+"var2:"+data['var2']+"<br />id:"+data['id']);
});
});
});
</script>
<input id="id" type="text" value="test value" />
<input type="button" id="submit" value="submit" />
<div id="list"></div>
</body>
</html>
Second Page json-call.php
$var1 = 'your name';
$var2 = 'your address';
$id = $_REQUEST['id'];
print(json_encode(array ('var1' => $var1, 'var2' => $var2, 'id'=>$id)));
and Results
var1:your name
var2:your address
id:test value
Not sure whether json_decode does everything you need. htmlspecialchars() and htmlspecialchars_decode() should do the trick for everything but the line breaks. The line breaks are kind of a pain, since the combination of linebreaks and carriage returns will depend on the browser, but I think something like this should work:
$value = "your string with quotes and newlines in it.";
//take cares of quotes
$js_value = htmlspecialchars($value);
//first line replaces an ASCII newline with a JavaScript newline
$js_value = str_replace("\n",'\n',$js_value);
//second line replaces an ASCII carriage return with nothing, so you don't get duplicates
$js_value = str_replace("\r",'',$js_value);
//reverse to convert it back to PHP
$php_value = str_replace('\n',"\r\n",$js_value);
$php_value = htmlspecialchars_decode($php_value);
Maybe not the most elegant solution, but that's not really my specialty. ;) Also, keep in mind that newline characters will just end up like spaces in an <input type="text"> field.
Here is a litle something I have made:
function safefor_js($str) {
return str_replace(array("'",'"',"\n"), array('\x22','\x27','\\n'), $str);
}
I can't figure out how to get the same result from my Javascript as I do from my PHP. In particular, Javascript always leaves out the backslashes. Please ignore the random forward and backslashes; I put them there so that I can cover my basis on a windows system or any other system. Output:
Input String: "/root\wp-cont ent\#*%'i#$#%$&^(###''mage6.jpg:"
/root\wp-content\image6.jpg (PHP Output)
/rootwp-contentimage6.jpg (Javascript Output)
I would appreciate any help!
PHP:
<?php
$path ="/root\wp-cont ent\#*%'i#$#%$&^(###''mage6.jpg:";
$path = preg_replace("/[^a-zA-Z0-9\\\\\/\.-]/", "", $path);
echo $path;
?>
Javascript:
<script type="text/javascript">
var path = "/root\wp-cont ent\#*%'i#$#%$&^(###''mage6.jpg:"; //exact same string as PHP
var regx = /[^a-zA-Z0-9\.\/-]/g;
path = path.replace(regx,"");
document.write("<br>"+path);
</script>
Your problem is that you're not escaping the backslashes in your JS string, which you should always do (even in PHP) if you mean a backslash.
Example:
var path = "/root\wp-cont ent\#*%'i#$#%$&^(###''mage6.jpg:";
alert(path);
path = "/root\\wp-cont ent\\#*%'i#$#%$&^(###''mage6.jpg:";
alert(path);
Yup, Qtax is correct, then you can use this:
var regx = /[^a-zA-Z0-9\.\/-\\]/g;