stripes tag for escaped string literal in JavaScript

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

stripes tag for escaped string literal in JavaScript

krick
I've run into an interesting situation with un-escaped double quotes in JavaScript in a JSP.


I have some JavaScript code like this...


var companyName = "${actionBean.company.name}";


...which breaks if the company name contains double quotes.

The same situation can happen if the company name contains a single quote and the javascript code quotes using single quotes...

var companyName = '${actionBean.company.name}';


The only workaround I've been able to come up with involves adding new methods to the company object that I can call to get a JavaScript escaped version of the string using Apache commons StringEscapeUtils.escapeJavaScript().








------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: stripes tag for escaped string literal in JavaScript

James Jory

We wrote a custom taglib function called escapeJS to handle this from our JSPs and to keep JSP-specific code from polluting our model classes.

 

var companyName = '${vt:escapeJS(actionBean.company.name)}';

 

It just wraps a call to StringEscapeUtils.escapeEcmaScript().

 

-James

 

From: William Krick <[hidden email]>
Reply-To: Stripes Users List <[hidden email]>
Date: Tuesday, June 28, 2016 at 11:05 AM
To: Stripes Users List <[hidden email]>
Subject: [Stripes-users] stripes tag for escaped string literal in JavaScript

 

I've run into an interesting situation with un-escaped double quotes in JavaScript in a JSP.

 

 

I have some JavaScript code like this...

 

 

var companyName = "${actionBean.company.name}";

 

 

...which breaks if the company name contains double quotes.

 

The same situation can happen if the company name contains a single quote and the javascript code quotes using single quotes...

 

var companyName = '${actionBean.company.name}';

 

 

The only workaround I've been able to come up with involves adding new methods to the company object that I can call to get a JavaScript escaped version of the string using Apache commons StringEscapeUtils.escapeJavaScript().

 

 

 

 

 

 

 

------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape_______________________________________________ Stripes-users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/stripes-users


------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: stripes tag for escaped string literal in JavaScript

Stan Broné
Personally I like to output these values in a hidden form field, or a  
span with style "display: none;". And then grab the values from in  
JavaScript by using DOM functions.

It might not be as efficient, but I think the code is a bit cleaner  
and it solves your problem.

-Stan


Citeren James Jory <[hidden email]>:

> We wrote a custom taglib function called escapeJS to handle this  
> from our JSPs and to keep JSP-specific code from polluting our model  
>  classes.
>
>
>
> var companyName = '${vt:escapeJS(actionBean.company.name)}';
>
>
>
> It just wraps a call to StringEscapeUtils.escapeEcmaScript().
>
>
>
> -James
>
>
>
> From: William Krick <[hidden email]>
> Reply-To: Stripes Users List <[hidden email]>
> Date: Tuesday, June 28, 2016 at 11:05 AM
> To: Stripes Users List <[hidden email]>
> Subject: [Stripes-users] stripes tag for escaped string literal in JavaScript
>
>
>
> I've run into an interesting situation with un-escaped double quotes  
>  in JavaScript in a JSP.
>
>
>
>
>
> I have some JavaScript code like this...
>
>
>
>
>
> var companyName = "${actionBean.company.name}";
>
>
>
>
>
> ...which breaks if the company name contains double quotes.
>
>
>
> The same situation can happen if the company name contains a single  
> quote and the javascript code quotes using single quotes...
>
>
>
> var companyName = '${actionBean.company.name}';
>
>
>
>
>
> The only workaround I've been able to come up with involves adding  
> new methods to the company object that I can call to get a  
> JavaScript escaped version of the string using Apache commons  
> StringEscapeUtils.escapeJavaScript().
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape_______________________________________________ Stripes-users mailing list [hidden email]  
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
>



------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: stripes tag for escaped string literal in JavaScript

Juan Pablo Santos Rodríguez
Hi,

assuming your javascript code is on the JSP instead of on a .js file, you can use the standard <c:out /> tag or ${fn:escapeXml} function, something like
var companyName = "<c:out value="${actionBean.company.name}" escapeXml="true" />";

should do the trick. I'm more leaned towards c:out instead of fn:escapeXml as the former also allows setting a default value if the evaluated expression is null.


HTH,
juan pablo

On Wed, Jun 29, 2016 at 12:00 PM, Stan Broné <[hidden email]> wrote:
Personally I like to output these values in a hidden form field, or a
span with style "display: none;". And then grab the values from in
JavaScript by using DOM functions.

It might not be as efficient, but I think the code is a bit cleaner
and it solves your problem.

-Stan


Citeren James Jory <[hidden email]>:

> We wrote a custom taglib function called escapeJS to handle this
> from our JSPs and to keep JSP-specific code from polluting our model
>  classes.
>
>
>
> var companyName = '${vt:escapeJS(actionBean.company.name)}';
>
>
>
> It just wraps a call to StringEscapeUtils.escapeEcmaScript().
>
>
>
> -James
>
>
>
> From: William Krick <[hidden email]>
> Reply-To: Stripes Users List <[hidden email]>
> Date: Tuesday, June 28, 2016 at 11:05 AM
> To: Stripes Users List <[hidden email]>
> Subject: [Stripes-users] stripes tag for escaped string literal in JavaScript
>
>
>
> I've run into an interesting situation with un-escaped double quotes
>  in JavaScript in a JSP.
>
>
>
>
>
> I have some JavaScript code like this...
>
>
>
>
>
> var companyName = "${actionBean.company.name}";
>
>
>
>
>
> ...which breaks if the company name contains double quotes.
>
>
>
> The same situation can happen if the company name contains a single
> quote and the javascript code quotes using single quotes...
>
>
>
> var companyName = '${actionBean.company.name}';
>
>
>
>
>
> The only workaround I've been able to come up with involves adding
> new methods to the company object that I can call to get a
> JavaScript escaped version of the string using Apache commons
> StringEscapeUtils.escapeJavaScript().
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape_______________________________________________ Stripes-users mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
>



------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users


------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: stripes tag for escaped string literal in JavaScript

krick
In reply to this post by Stan Broné
That's actually a really good idea.  I hadn't considered using a hidden field or span.  Thanks for the tip.

On Wed, Jun 29, 2016 at 6:00 AM, Stan Broné <[hidden email]> wrote:
Personally I like to output these values in a hidden form field, or a
span with style "display: none;". And then grab the values from in
JavaScript by using DOM functions.

It might not be as efficient, but I think the code is a bit cleaner
and it solves your problem.

-Stan


Citeren James Jory <[hidden email]>:

> We wrote a custom taglib function called escapeJS to handle this
> from our JSPs and to keep JSP-specific code from polluting our model
>  classes.
>
>
>
> var companyName = '${vt:escapeJS(actionBean.company.name)}';
>
>
>
> It just wraps a call to StringEscapeUtils.escapeEcmaScript().
>
>
>
> -James
>
>
>
> From: William Krick <[hidden email]>
> Reply-To: Stripes Users List <[hidden email]>
> Date: Tuesday, June 28, 2016 at 11:05 AM
> To: Stripes Users List <[hidden email]>
> Subject: [Stripes-users] stripes tag for escaped string literal in JavaScript
>
>
>
> I've run into an interesting situation with un-escaped double quotes
>  in JavaScript in a JSP.
>
>
>
>
>
> I have some JavaScript code like this...
>
>
>
>
>
> var companyName = "${actionBean.company.name}";
>
>
>
>
>
> ...which breaks if the company name contains double quotes.
>
>
>
> The same situation can happen if the company name contains a single
> quote and the javascript code quotes using single quotes...
>
>
>
> var companyName = '${actionBean.company.name}';
>
>
>
>
>
> The only workaround I've been able to come up with involves adding
> new methods to the company object that I can call to get a
> JavaScript escaped version of the string using Apache commons
> StringEscapeUtils.escapeJavaScript().
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape_______________________________________________ Stripes-users mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
>



------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users


------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users