Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>You've got a JavaScript string literal inside an HTML attribute value.</p> <p>So you would need to first JS-encode the value (replacing the <code>'</code> with <code>\'</code> and <code>\</code> with <code>\\</code>), <em>then</em> HTML-encode. Currently you are HTML-encoding the <code>'</code> (which would be ineffective, since the browser would decode it back to an apostrophe before the JS engine saw it)... and then HTML-encoding it again, leaving it literally meaning <code>&amp;#39;</code>.</p> <p>Use a JSON encoder to turn a string (or any other value type) into a JavaScript literal.</p> <p>However. Writing JavaScript in a string utterly sucks. Keeping track of multiple layers of escaping isn't something the mind is good at. So don't do it. Avoid inline event handler attributes at all times. Instead, use static script and assign handlers from JavaScript itself, using unobtrusive scripting.</p> <pre><code>&lt;a class="dangerous fg-button fg-button-icon-solo ui-state-default ui-corner-all" href="&lt;%= Server.HTMLEncode(Url.Action("Activate", new {id = item.company_id})) %&gt;" title="This action will activate this company's primary company (&lt;%= Server.HTMLEncode(companyName) %&gt;) and all of its other subsidiaries." &gt; &lt;span class="ui-icon ui-icon-refresh"&gt;&lt;/span&gt; &lt;/a&gt; </code></pre> <p>(I'll use jQuery since you have it in your tags:)</p> <pre><code>&lt;script type="text/javascript"&gt; $('.dangerous').click(function() { return confirm(this.title+' Continue?'); }); &lt;/script&gt; </code></pre> <p>However note that this is an abuse of <code>&lt;a&gt;</code>. Actions that make an active change to something should never be sent, or be allowed to be received, as a GET request. You should instead use a button that submits a POST request (either directly as a form, or via AJAX). (You should also consider using ASP.NET's built-in controls instead of templating the values in, to avoid having to call <code>HTMLEncode</code> quite so much.)</p> <p>See <a href="http://thedailywtf.com/articles/the_spider_of_doom.aspx" rel="nofollow noreferrer">this classic WTF</a> for one way in which this can bite you.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload