1

I have some vb code as below:

Dim sb As System.Text.StringBuilder = New System.Text.StringBuilder()
    sb.Append("<script type=""text/javascript"">")
    sb.Append(" function addRow() {")
    sb.Append(" var div = document.createElement('div');")
    sb.Append(" div.className = 'panel panel-info';")
    sb.Append(" div.innerHTML = '")

    For i = 0 To dtf.Rows.Count - 1
        Dim NAME As String = dtf.Rows(i)(0).ToString
        Dim Datee As String = dtf.Rows(i)(3).ToString
        Dim commentsth As String = dtf.Rows(i)(2).ToString
        Dim urlh As String = dtf.Rows(i)(1).ToString
        sb.Append("<div class=""panel-heading"">")
        sb.Append(" <h4 class=""panel-title"">")
        sb.Append(" <a data-toggle=""collapse"" data-parent=""#accordion"" href=""" & urlh & """>")
        sb.Append(" " & NAME & "  " & Datee & "</a>")
        sb.Append(" </h4>")
        sb.Append(" </div>")
        sb.Append(" <div id=""collapse" & i & """ class=""panel-collapse collapse in"">")
        sb.Append(" <div class=""panel-body"">")
        sb.Append(" " & commentsth & "")
        sb.Append(" </div>")
        sb.Append(" </div>")
    Next
    sb.Append("';")
    sb.Append(" document.getElementById('WorldNews').appendChild(div);}")
    sb.Append("</script>")
    ClientScript.RegisterClientScriptBlock(Me.GetType(), "MyScript", sb.ToString())

This code is to append a java-script code to the web page.

My Problem is if, for instance the variable 

commentsth

contains character 

' or " or \

it will affect the output, because ' or " could be a closing marks for a string

ie: if commentsth="he's.." then problem happen..

    " '<div class=""panel-body"">" & he's.. & ""

How can I avoid this situation.

DIY-DS
  • 243
  • 4
  • 16
  • [Please take a look at this.](http://www.tutorialspoint.com/vb.net/vb.net_character_escapes.htm) and also [here](http://stackoverflow.com/questions/7726420/how-to-escape-double-quotes-in-as-a-parameter-to-an-nunit-testcase). – aspiring Jun 11 '15 at 07:08

3 Answers3

0

Use HTML encoded string for the variables so for example a space is converted to %20:

 sb.Append(" " & Uri.EscapeDataString(commentsth) & "")

Also in the script you might want to include something to decode the string back to normal before actually appending it to WorldNews:

sb.Append(" div.innerHTML = decodeURI('")
...
sb.Append("');")
Keith Mifsud
  • 725
  • 5
  • 16
  • Thanks, but right now the question is not the blank, but the character ' – DIY-DS Jun 11 '15 at 10:17
  • ye the space was an example... this does all symbols – Keith Mifsud Jun 11 '15 at 10:18
  • what if you do something similar yourself like from VB replace all `'`, `"` and `/` to lets say `%1`, `%2` and `%3`... Then in the javascript do a replace of all `%1` back to `'` and so on – Keith Mifsud Jun 11 '15 at 10:24
  • { – DIY-DS Jun 11 '15 at 10:25
0

You can replace ', /, and " characters with &apos;, &#47; and &quot; respectively, and the generated HTML should know what those are.

Something like this for each character you want to replace, just use it's ASCII HTML Character code: commentsth = commentsth.Replace("'", "&apos;")

Link to ASCII Codes

Laz Padron
  • 26
  • 4
0

create a function to replace the unwanted characters and add it to your code like so:

...
sb.Append(" <div class=""panel-body"">")
sb.Append(" " & ReplaceSpecials(commentsth) & "")
sb.Append(" </div>")
...

example:

Function ReplaceSpecials(ByVal Text As String) As String
    Return Text.Replace("'", "").Replace("\", "")
End Function
Pedro
  • 1
  • 1