+ Start a Discussion
Mat SchafferMat Schaffer 

How to escape controller or object content in Javascript

So content seems to get escaped for HTML automatically, but I'd like to create JSON in a page if possible.  I can't seem to find any way to do this.

 

I posted an example app at http://github.com/matschaffer/apex-injection-test that shows the output I'm trying to pull and escape. Right now the javascript injection executes successfully.

 

It's looking like I may need to just stick to HTML or do the javascript escaping myself in an Apex class. I found this which looks promising http://apex-google-visualization.googlecode.com/svn/trunk/GoogleVisualizations/src/classes/JSONObject.cls but they've commented out the quote() method so I'll have to figure out how to get it back in there.

 

Thanks in advance for any advice,

Mat

Nick34536345Nick34536345

<apex:outputText> is going to automatically escape for HTML, yes. That can be disabled by using escape="false". Or just don't use an outputText tag.

 

Also there are some builtin functions like JSENCODE and JSINHTMLENCODE which may be useful here

Mat SchafferMat Schaffer

Nice, thanks! JSINHTMLENCODE seems to be exactly what I was looking for.

 

Do you know if there's a way to call into this from an Apex Class? Or will I need to keep all my escaping work in the visualforce layer?

 

Thanks,

Mat

Nick34536345Nick34536345

no those functions are specific to Visualforce. There isn't anything similar in Apex