0

For example i've a php script with this content:

<?php
$msg = addslashes("I'm a message. The what happened >:(");
echo "<script>alert($msg); return false;</script>";
?>

But the alert get broken by the last "(". How can i solve this?

Sein Kraft
  • 8,417
  • 11
  • 37
  • 39

5 Answers5

6

You should enclose alert parameter with quotes:

echo "<script>alert('$msg'); return false;</script>";

What your code outputs to the browser was:

<script>alert(The what happened >:(); return false;</script>

which is not a valid javascript, after putting the quotes, it becomes:

<script>alert('The what happened >:('); return false;</script>

which is valid javascript.

aularon
  • 11,042
  • 3
  • 36
  • 41
  • Many thanks, but now i'm getting "unterminated string literal" and i've the addslashes() in the php msg. – Sein Kraft Sep 04 '10 at 20:11
  • you need to add the quotes: `alert('$msg');`. What `addslashes` does is to escape (backslash) quote occurrences in its parameter, i.e. it will change `I'm a message. The what happened >:(` into `I\'m a message. The what happened >:(`, but it won't surround it with quotes. – aularon Sep 04 '10 at 20:19
  • I've added the quotes in the alert(). but still it dont work, i get "unterminated string literal". – Sein Kraft Sep 04 '10 at 20:22
  • can you update the question with what latest php code, and your html source output as well. – aularon Sep 04 '10 at 20:26
  • @Sein Kraft But you still have `alert($msg);` instead of `alert('$msg');` in your code above. – aularon Sep 04 '10 at 21:05
  • If i update that in the main question the new users that arrive to the question itselft cant see why this thread was created since the real question will appear fixed in the example. So they can't figure the problem. Again i've setted alert('$msg'); and i'm getting "unterminated string literal". – Sein Kraft Sep 04 '10 at 21:25
  • can you paste your html source output? you can add it to the question by adding `EDIT: after fixing first prolem here's what I got: ....`. if you can add both html and current php source that will help a lot. – aularon Sep 04 '10 at 21:27
  • $msg = addslashes("I'm a message. The what happened >:("); echo ""; – Sein Kraft Sep 04 '10 at 22:40
  • @Sein KraftI just trued that, the problem now is not an `unterminated string literal` with the `alert`, but `return not in function`, take that return off the ` – aularon Sep 04 '10 at 23:42
2

You need to put it in a JavaScript string, otherwise it gets interpreted like this, which is meaningless and causes an error:

<script>alert(The what happened >:(); return false;</script>

Notice the single quotes in the alert() call which denote a JavaScript string (double quotes work too):

<?php
$msg = "The what happened >:(";
echo "<script>alert('$msg'); return false;</script>";
?>

It is also a good idea to escape the content inside to mitigate XSS, using htmlspecialchars().

BoltClock
  • 700,868
  • 160
  • 1,392
  • 1,356
  • Double quotes work, too, but remember to escape them, as the string is delimited by double quotes. +1 for XSS warning, though there's no need to worry when the OP uses static strings. – Marcel Korpel Sep 04 '10 at 20:06
  • Yeah, it's just a friendly warning :) – BoltClock Sep 04 '10 at 20:08
  • 1
    Although `htmlspecialchars()` is the wrong kind of escaping for inclusion in a JS string literal in ` – bobince Sep 04 '10 at 20:34
2

The other answers are along the right lines, but it is not sufficient to just put quotes around the string, if it can be any arbitrary string. If the string itself contains a quote, backslash, or newline, that will break the JavaScript string literal. If the string contains </script (or just </ in some cases) that will break the <script> block. In either case, if user-supplied input is involved, that gives you a big old cross-site-scripting security hole.

Whilst you may not need it for this specific value of $msg, it's a good idea to get used to JS-string-literal-escaping any text you output into a JS string. Whilst you can do this manually by adding backslashes, it's generally much easier to just use the built-in JSON encoder, which will work for other types like arrays and objects as well as strings.

<script type="text/javascript">
    alert(<?php echo json_encode($msg); ?>);
    return false; // huh? return, in a <script> block??
</script>
bobince
  • 528,062
  • 107
  • 651
  • 834
0

Depending on the context, you might also just do:

<?php
    $msg = "The what happened >:(";
?>

<script>alert("<?php echo $msg ?>"); return false;</script>

If there is no need to echo HTML or JavaScript code, then don't do it. It is easier to maintain .

Felix Kling
  • 795,719
  • 175
  • 1,089
  • 1,143
0

alert() accepts a string argument; you must enclose the text you're passing to it in quotes (either single or double) and insure that any matching quotes within the string are escaped by backslashes.

In your case single quotes would suffice:

echo "<script>alert('$msg'); return false;</script>";
user229044
  • 232,980
  • 40
  • 330
  • 338