in reply to CGI, Javascript and Single Quotes

onclick="return addNote('FlagNotesTable');"
and
onclick="return addNote('FlagNotesTable');"
are the same thing. Both will execute
return addNote('FlagNotesTable');
JavaScript will never even see '. It will be transformed to ' before being passed to JavaScript.

Replies are listed 'Best First'.
Re^2: CGI, Javascript and Single Quotes
by rashley (Scribe) on Nov 15, 2006 at 18:28 UTC
    This doesn't seem to be the case for me.

    I tried inserting ' in place of ' on my little test HTML page, and the Javascript bombed.

[reply]

      Your browser is broken if this is a problem. According to the strict DTD, what's in between script tags and event handlers is to be considered CDATA, which is defined as "a sequence of characters from the document character set and may include character entities." ' is a character entity.

      IE6 and FF1.5 had no problems handling entities in the event handler when I tested them using the following HTML doc: 

      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
   "http://www.w3.org/TR/html4/strict.dtd">
<title>test</title>
<p><a onclick="alert(&#39;FlagNotesTable&#39;);">escaped</a>
<br><a onclick="alert('FlagNotesTable');">Not escaped</a>

      [download]

      Update: Added first paragraph.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom