0

I have HTML in a database which I want to show with facebox (jquery popup). I use the PHP code below to render the button that launches the facebox

$html.="<img onclick='$.facebox(\"".$db_data[html]."\");' src='img.png' />";

How can I escape things properly so that facebox will get also ' and " in $db_data[html]? (for example if the html includes styles?)

Improve this question

1 Answer 1

Reset to default
3

Use json_encode to convert the string properly to a JavaScript compatible string and htmlspecialchars to encode it for the use in an HTML attribute value:

"<img onclick='" . htmlspecialchars("$.facebox(".json_encode($db_data['html']).");", ENT_QUOTES) . "' src='img.png' />"

Note the use of the quote style ENT_QUOTES to also encode ' that are used to quote the attribute value. This wouldn’t be necessary if you would use " for the HTML attribute value instead:

'<img onclick="' . htmlspecialchars("$.facebox(".json_encode($db_data['html']).");") . '" src="img.png" />'
Improve this answer
0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.