1

I don't know why this link does not work, but I have a Javascript redirect (window.opener.location) that I am passing a number of variables through the URL and am having issues when those variables contain apostrophes. I am using URLENCODE() in PHP to build the link, which looks like it is doing what I need when I dump the source, but Safari and Chrome both throw "Unexpected identifier at 'www'" errors when I click the link.

This seems to tell me that the JS link is still being treated as if it has an apostrophe instead of the %27 equivalent of an apostrophe? I am using a dummy name "qqq'www qqq'www" with apostrophes in first and last name for my testing to break as much stuff as possible.

Here is the link I am having trouble with:

<a href="javascript:top.close();window.opener.location='../cust/maint_cust.php?action=del_are_you_sure&cust_id=249735&lname=Qqq%27www&fname=Qqq%27www'"><em>Yes</em></a>

But if I change the link to use onclick instead of the HREF, it works? I realize this is the better coding method than href='javascript:...' too.

<a href="#" onclick="top.close();window.opener.location='../cust/maint_cust.php?action=del_are_you_sure&cust_id=249735&lname=Qqq%27www&fname=Qqq%27www'"><em>Yes</em></a>

Everything is identical except where I make the JS call. Is this possibly due to the way the HREF and onclick are handled on encoding/decoding? Maybe the HREF is un-encoding the apostrophes prior to making the link call because the JS is embedded in the HREF call?

Any insight into this behavior would be appreciated so I can better understand what is really going on here. Yes it works, but not knowing why makes me feel like a worse developer...

Thanks!

Jon Koerber
  • 33
  • 7
  • I guess that the cause of the difference is that the `javascript:` URLs are considered a different "browsing context origin" (very roughly – a different "domain", see https://html.spec.whatwg.org/multipage/browsers.html#creating-browsing-contexts). By the way, do you really have to put everything in one attribute? What about something like `Yes`? – Ilya Streltsyn Dec 09 '19 at 10:16

2 Answers2

0

Your links do not have a > to end the starting <a - and yes, do not use href="javascript:

Also if you need to encode, use encodeURIComponent and lastly do not try to close the window before changing the opener.

But why not name the opener and user a target and a setTimeout?

<a target="nameOfOpener" 
href="../cust/maint_cust.php?action=del_are_you_sure&cust_id=249735&lname=Qqq%27www&fname=Qqq%27www"
onclick="setTimeout(function() {top.close()},100)"><em>Yes</em></a>
mplungjan
  • 169,008
  • 28
  • 173
  • 236
  • Sorry about that, the links actually do have an end > in them, when I was tweaking the posting I deleted them while removing some other superfluous information. Still want to know why one works and the other does not in their current form (before I consider any other changes) – Jon Koerber Aug 31 '18 at 19:18
0

Browsers give a special treatment to href attributes starting with 'javascript:'. Any %xy encoding, as in your case the %27, will be decoded first before executing the Javascript code. I checked this for current versions of Firefox and Chrome. I would be curious to find a documentation of this feature.

The short answer is: Do not use 'javascript:' in a href, if your Javascript code contains %xy encodings.

In case you really have to use 'javacript:' in a href, put your URL into a javascript variable and then reference that variable in your href's Javascript code.

<script>
myURLwithEncodings = "../cust/maint_cust.php?action=del_are_you_sure&cust_id=249735&lname=Qqq%27www&fname=Qqq%27www";
</script>

<a href="javascript: window.opener.location=myURLwithEncodings; top.close();"><em>Yes</em></a>
jofeu
  • 65
  • 3