File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes el expressions and escaping Javascript strings Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "el expressions and escaping Javascript strings" Watch "el expressions and escaping Javascript strings" New topic
Author

el expressions and escaping Javascript strings

Colin Shine
Greenhorn

Joined: Aug 12, 2005
Posts: 26
Hi all,

I use some el expressions to generate some client-side javascript as follows:



The problem is that some users' last names contain single quotes (e.g. O'Reilly), so I'll need to escape them with \'. Is there any way to do this with el / jstl, so I won't have to write my own custom tag?

There are already Struts tags (the 'nested' tags) in this project, and when they are used to display the name, it appears as "O'Reilly" in the HTML source. This does not seem to be enough for Javascript however, as when I click on the link I get the generic error message "Problems with this page might prevent it from displaying properly..."

I know this isn't the best practice, but I'm trying to maintain someone else's code so I'm stuck with it.

Thanks!
[ January 23, 2006: Message edited by: Bear Bibeault ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60057
    
  65

There is nothing built-in to escape Javascript strings.

To solve this I did not rely on custom actions (tags) since they cannot be used in all circumstances (attribute to other actions, for example). Rather, I defined an EL function to do the escaping.

So your example would look like:



where 'whatever' is the namespace the tld containing the function is mapped to.
[ January 23, 2006: Message edited by: Bear Bibeault ]

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60057
    
  65

Another tip...

I notice that you emit the plain-text last name using:



For this, and any other data that is the result of previous user input, I highly recommend using the <cut> tag rather than plain EL so that the emitted string is HTML-encoded.

Imagine the havoc wrought upon your page should a user enter "</html>" as their last name. Also, not doing you so opens the door for maliciousness via Javascript injection.

In contexts where actions like <cut> are not possible, the JSTL defines the fn:escapeXml() EL function.
[ January 23, 2006: Message edited by: Bear Bibeault ]
Colin Shine
Greenhorn

Joined: Aug 12, 2005
Posts: 26
That's excellent, thanks very much. I'll take your advice on using c ut too!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: el expressions and escaping Javascript strings
 
Similar Threads
Can Javascript variable store into JSP variable
INSERT THE VALUE OF A FORM FIELD INTO A JAVA STRING (without page refresh)
EL Questions
JSP 2 Tag Files
Hiding javascript when html page is loading