0

I've been searching for a solution to be able to have the following:

<a href="http://mylink.com" title="what's the big "DEAL" about "double quotes" & 'single' ones">a</a>

so the tooltip shows up as: what's the big "DEAL" about "double quotes" & 'single' ones

So the user inputs their text in a dialog box and I'm using js to parse the text, put it in the wysiwyg (tinymce) and then send to db.

Here's what I've tried:

encodeURIComponent gives me: what's%20the%20big%20%22DEAL%22%20about%20%22double%20quotes%22%20%26%20'single'%20ones

this doesn't solve it because when I take the data out of mysql and dump it back on the page I'm back to the original because I use url decode on the whole text (this I cannot change).

Tried escaping the quotes with regex like:

title.replace(/'/g, "\\'");
title.replace(/"/g, '\\"');

This worked on 'single' quotes but not double

What I get back is title="what\'s the big \" (note I'm using a prepared statement in php to insert this into the db)

I've researched escaping strings and certain characters in js or encoding them so for example " becomes " but all I get stuff that requires you to build your own functions. Is this the case?

My questions is this:

Am I missing something? Is there a more elegant solution to this? How would you recommend I do it? Where in the process should this be done?

I've seen this (How to escape double quotes in title attribute) but this doesn't explain how to create a robust solution for handling constantly changing user content (and title attribute).

Thank you all.

Community
  • 1
  • 1
Noodle Head
  • 431
  • 3
  • 10
  • 23
  • It isn't clear what portion of that is user input, or what PHP and MySQL have to do with it. – Quentin Feb 07 '14 at 16:19
  • Are we really just talking about html entity encoding? `title="what's the big "DEAL" about "double quotes" & 'single' ones"` sort of thing? – CD001 Feb 07 '14 at 16:22
  • Sorry - updated comment. User inputs text for A tag (including title attribute info) in dialog box and I parse in JS and insert the A tag. – Noodle Head Feb 07 '14 at 16:23
  • @CD001 I'm using prepared statements without the need to do that. Your option would be to put them in using htmlspecialchars in php? – Noodle Head Feb 07 '14 at 16:25
  • @NoodleHead I'm only referring to the output - do everything as you would for putting it into the database (don't muck about with the data there) but when it comes to retrieving that data and spaffing it into the HTML *then* you `htmlspecialchars()` it. I may have got the wrong end of the stick though ... – CD001 Feb 07 '14 at 16:35
  • I suppose you could encode them twice before storing. That's kinda horrible though. – femtoRgon Feb 07 '14 at 16:41
  • @CD001 - tried it just now... the result is that now I see code on the page as such

    fsdafasdfasdf

     – Noodle Head Feb 07 '14 at 16:41
  • @CD001 I do think you may be onto something IF you know of an htmlspecialchars version for JS... That would really help since it's only the title that needs encoding. All I could find is home-made functions to replace stuff... – Noodle Head Feb 07 '14 at 16:42
  • @NoodleHead ah, yeah, you don't want to htmlentities the entire output (if you're outputting HTML) just the bits that need escaping ... and now it gets complicated! I'd recommend looking at a library like HTMLPurifier http://htmlpurifier.org/ ... then you can just clean up your output with something like `echo $purifier->purify($dirty_html);` – CD001 Feb 07 '14 at 16:44
  • @CD001 I actually have that but I'm not aware how to make it do this. Its main purpose is to just make sure users don't inject malicious content. – Noodle Head Feb 07 '14 at 16:46
  • 1
    @NoodleHead if you've got access to just the string being entered into the *title* attribute with JS, you could just do some simple RegExp replacements like : http://stackoverflow.com/questions/1787322/htmlspecialchars-equivalent-in-javascript - `htmlspecialchars()` is pretty basic tbh. Otherwise, you can use HTMLPurifier to parse your entire output HTML string and it should encode only the HTML entities it needs to (e.g. those quote marks in your title attributes). – CD001 Feb 07 '14 at 16:51
  • @CD001 Yes, I guess I have to stick with that. I just assumed JS provides some function that maybe I don't know about or maybe some more elegant way of dealing with this... but I guess we have to make our own functions... – Noodle Head Feb 07 '14 at 16:59
  • @NoodleHead - odd, if you're using the function in the answer in the other SO post I linked to ... it should as far as I can see... – CD001 Feb 07 '14 at 17:03
  • @CD001 It is, my mistake. I had forgotten to *save the file after changing something. That's why it didn't work. Thanks for the help :) – Noodle Head Feb 07 '14 at 17:05

0 Answers0