Escape apostrophe when passing parameter in onclick event

Question

I\'m passing the company name to an onclick event. Some company names have apostrophes in them. I added \'.Replace(\"\'\", \"'\")\' to the company_name field. This al

Answer 1

You've got a JavaScript string literal inside an HTML attribute value.

So you would need to first JS-encode the value (replacing the ' with \' and \ with \\), then HTML-encode. Currently you are HTML-encoding the ' (which would be ineffective, since the browser would decode it back to an apostrophe before the JS engine saw it)... and then HTML-encoding it again, leaving it literally meaning '.

Use a JSON encoder to turn a string (or any other value type) into a JavaScript literal.

However. Writing JavaScript in a string utterly sucks. Keeping track of multiple layers of escaping isn't something the mind is good at. So don't do it. Avoid inline event handler attributes at all times. Instead, use static script and assign handlers from JavaScript itself, using unobtrusive scripting.

"
    title="This action will activate this company's primary company (<%= Server.HTMLEncode(companyName) %>) and all of its other subsidiaries."
>
    

(I'll use jQuery since you have it in your tags:)

However note that this is an abuse of . Actions that make an active change to something should never be sent, or be allowed to be received, as a GET request. You should instead use a button that submits a POST request (either directly as a form, or via AJAX). (You should also consider using ASP.NET's built-in controls instead of templating the values in, to avoid having to call HTMLEncode quite so much.)

See this classic WTF for one way in which this can bite you.