You need to sign in to do that
Don't have an account?
How to escape controller or object content in Javascript
So content seems to get escaped for HTML automatically, but I'd like to create JSON in a page if possible. I can't seem to find any way to do this.
I posted an example app at http://github.com/matschaffer/apex-injection-test that shows the output I'm trying to pull and escape. Right now the javascript injection executes successfully.
It's looking like I may need to just stick to HTML or do the javascript escaping myself in an Apex class. I found this which looks promising http://apex-google-visualization.googlecode.com/svn/trunk/GoogleVisualizations/src/classes/JSONObject.cls but they've commented out the quote() method so I'll have to figure out how to get it back in there.
Thanks in advance for any advice,
Mat
<apex:outputText> is going to automatically escape for HTML, yes. That can be disabled by using escape="false". Or just don't use an outputText tag.
Also there are some builtin functions like JSENCODE and JSINHTMLENCODE which may be useful here
Nice, thanks! JSINHTMLENCODE seems to be exactly what I was looking for.
Do you know if there's a way to call into this from an Apex Class? Or will I need to keep all my escaping work in the visualforce layer?
Thanks,
Mat
no those functions are specific to Visualforce. There isn't anything similar in Apex