How do I escape an ampersand in a javascript string so that the page will validate strict?

Question

I am trying to pass a dataString to to an ajax call using JQuery. In the call, I construct the get parameters and then send them to the php page on the receiving end. The trouble is that the data string has ampersands in them and the HTML strict validator is chocking on it.

Here is the code:

$(document).ready(function(){
    $("input#email").focus();
    $('#login_submit').submit(function(){
        var username = $('input#email').val();
        var password = $('input#password').val();
        var remember = $('input#remember').attr("checked");
        var dataString = "email="+username+"&password="+password+"&remember="+remember;
        $.post('login.php', dataString, function(data) {
            if (data == 'Login Succeeded.') {
                location.reload(true);
            } else {
                $("input#email").focus();
                $("#login_msg").html(data).effect("pulsate", {times: 2}, 1000); 
            }
        });         
        return false;
    });
});

and here is an example of the validator message: cannot generate system identifier for general entity "password".

var dataString = "email="+username+"&password="+password+"&remember="+rememb…

(in the validator the "p" after the first ampersand is marked red indicating the point of the failure).

Marc Novakowski · Accepted Answer · 2008-12-10T04:10:09.027

38

Try putting your javascript inside a CDATA block like this:

<script type="text/javascript">
<![CDATA[
// content of your Javascript goes here
]]>
</script>

which should make it pass validation. To be extra safe you can add Javascript comments around the CDATA tags to hide them from older browsers who don't understand the CDATA tag:

<script type="text/javascript">
/* <![CDATA[ */
// content of your Javascript goes here
/* ]]> */
</script>

edited Dec 10 '08 at 04:10

answered Dec 10 '08 at 04:04

Marc Novakowski

44,628
11
58
63

1

That was perfect. The first answer didn't work but the second one did. Thanks for the help! – Mike Farmer Dec 10 '08 at 04:15

score 25 · Answer 2 · answered May 06 '09 at 19:33

25

"\u0026" works!

answered May 06 '09 at 19:33

score 6 · Answer 3 · answered Dec 10 '08 at 23:00

6

Note: before one goes blindly wrapping text in CDATA blocks, be aware that CDATA's purpose is NOT for making invalid characters valid.

See: http://www.flightlab.com/~joe/sgml/cdata.html

answered Dec 10 '08 at 23:00

BryanH

5,826
3
34
47

score 1 · Answer 4 · edited Oct 27 '12 at 18:45

Sometimes \u0026, &#38, %26, &amp, or <![CDATA[ ... ]]> work for ampersands in script blocks in xhtml.
I would like to ask why we should want that kind of a restriction (blink loyalty to the errors in the design of SGML) which also prevents &nbsp, mathml, target, and nested xml from working.
Why can't we simply say that in a script block no tags or other SGML stuff gets recognized? Why can't xhtml let targets work?
I don't see an advantage to SGML that outweigh the disadvantages. Right now, even though html5 is somewhat available, xhtml is the validator that catches the most developer errors. Let's fix xml without historical regard to its origins.

score -1 · Answer 5 · answered Dec 10 '08 at 04:07

-1

i would try:

var dataString = "email="+username+"&amp;password="+password+"&amp;remember="+remember;

answered Dec 10 '08 at 04:07

Luis Melgratti

11,881
3
30
32

How do I escape an ampersand in a javascript string so that the page will validate strict?

5 Answers5

Linked