The problem is, anyting in [ ] are pulled from a database and put in to the html code when the page is created. The [cdescription] often times may have a single quote (') in it which ruins the script. I don't know of anytime that it has the double quotes ("), but I suppose it could have it as well. Is there some way I can pass this argument to the script and keep it in tact regardless of what it has in it?
I suppose that's a big problem with creating something around another design. I am making my own interface to a shopping cart and the [cdescription] part where it pulls it in is part of that shopping cart, so I can't go in to that and escape the quotes and on most of the pages where I'm not using this particular function, it would also put the escape characters in the description when it puts it in the cart.
I may just have to leave the description part out. The important part to know what is being ordered is the [cname], and the img, the [cdescription] just reinforces what it is.
David Newton wrote:How are you creating your HTML?
I use a shopping cart called VP-ASP. The asp script creates the html from a template file. The template file is where you put the [cdescription], etc in that pulls from the database to create the html page.
Then Bear's suggestion to look into unobtrusive JS is probably your only hope--drop the description somewhere where it doesn't matter that it's not escaped (like a div or whatever) and have the JS refer only to JS-safe entities.
Heck, while I really hate to even suggest it, you could always put the description in a hidden div and pull it out using innerHTML.
All that said, any product that doesn't give you the option of HTML- and/or JS-escaping is suspect: maybe check out their templating language and see if there isn't an option for this; seems like a no-brainer to me.