How to resolve html elmento value quotes with javascript?

Asked

Viewed 7,587 times

1

I have a script that creates buttons with onclick events, but I’m having trouble assigning its value.
View the script:

for (var i = 0; i < cursos.length; i++) {    
$("#cursos").append("<button class='ui-btn ui-corner-all optCurso' data-transition ='slide' onclick="
                                                    + "'controller.setNomeCurso('" + cursos[i].Value + "')' >"
                                                    + cursos[i].Name + "</button>")
}

When creating the button it is as follows:

<button class="ui-btn ui-corner-all optCurso" data-transition="slide" onclick="controller.setNomeCurso(" anáse="" de="" sistemas')'="">Anáse de Sistemas</button>

How could I fix this?

javascript jquery html

2 answers

1

In these cases it is better to create the element in another line and use the jQuery methods to put the dynamic values in place:

var button = $("<button class='ui-btn ui-corner-all optCurso' data-transition ='slide'></button>");
button.click(function () { controller.setNomeCurso(cursos[i].Value); });
button.text(cursos[i].Name);
$("#cursos").append(button);

(depending exactly where it comes from i, maybe you need something like button.click((function (nomeCurso) { return function () { controller.setNomeCurso(nomeCurso); }})(cursos[i].value)); to capture right to closure)

You’ll also need to put one type="button" if this button appears inside a form.

You really need to do this with jQuery?

var button = document.createElement('button');
button.type = 'button';
button.className = 'ui-btn ui-corner-all optCurso';
button.setAttribute('data-transition', 'slide');
button.addEventListener('click', function () { controller.setNomeCurso(cursos[i].Value); }, false);
button.appendChild(document.createTextNode(cursos[i].Name));
document.getElementById('cursos').appendChild(button);

This works on any IE 8+; if you agree to only be compatible with IE 11 and Edge, you can switch button.setAttribute('data-transition', 'slide') for button.dataset.transition = 'slide'.

The jQuery encourages this style of code, concatenating strings; this problem you encountered is the newest prime of SQL Injection. Concatenating strings to generate HTML tags is asking you to create XSS holes in your application.

  • Hello my friend, thank you so much for your help. My i comes from a bow for that exists. I tried the first option, but unfortunately it didn’t work. The error generated was: Uncaught ReferenceError: cursor is not defined this right on the line where you add the event click. The second option also failed, returned the following error: ncaught TypeError: Cannot read property 'Value' of undefined.

  • Mea culpa, I had a typo of courses for cursor (corrected)

  • I had noticed and fixed when testing on my code, the problems unfortunately persist, there is no way to fix the code posted by @alysonsm ?

1


Try using simple quotes in the function parameter call.

Follow the example worked:

var cursos = [{Name: "Teorema de D'Alembert", Value:"Teste '123 "},{Name: "Teste2", Value: 345}];
var createButton = function(){

$("#cursos").append("<button class='ui-btn ui-corner-all optCurso' data-transition ='slide' onclick=\"controller.setNomeCurso('"+ cursos[0].Value.replace(/'/g, "\\'") + "')\">"+ cursos[0].Name + "</button>");
}

$("#createButton").click(function(){
    createButton();
});

http://jsfiddle.net/alysonsm/qkyjuud9/2/

In the above example, the treatment is also provided for when the use of single quotes occurs within the value that will be printed in the function parameter.

To treat the error of single quotes within the value, just treat the string replaced by the values of single quotes by: \':

    var texto = "Exemplo '123'";
    var exemplo = texto.replace(/'/g, "\\'"); //Exemplo \'123123\';
  • 1

    What happens if I have a course on D'Alembert’s theorem?

  • I marked as solved, but I cleared because of @ctgPi’s comment and now young? rsrsrs...

  • 2

    What he said is true. I believe the best approach is not to use string concatenation but to use the language resources to create the elements. Using pure javascript will ensure it works in older browsers. Feel free! ;)

  • 1

    As for D'Alembert’s theorem, you should treat single and double quotation marks. str = str.replace(/'/g, ""); http://stackoverflow.com/questions/2195568/how-do-i-add-slashes-to-a-string-in-javascript

  • Thank you @alysonsm you would have how to post that remark in the reply please my friend?

  • 1

    Take a look at the updated response example.

  • You are even hem bug! Thank you very much my friend. It worked perfectly!

  • Thinking a little more here, this is not enough to solve the problem. e. g. var cursos = [{Name: "Teorema de D'Alembert", Value:"\" onmouseover=\"alert(&#39;pwned!&#39;);\" data-bla=\""}, …]. Also needs to roll a .replace(/"/g, "&quot;").

Show 3 more comments

Browser other questions tagged javascript jquery html

You are not signed in. Login or sign up in order to post.