Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.

I was trying to get away from using PHP's htmlentities and here's where I stopped:

<?php
echo '<img ... onclick="MP.view(\''.$i->name.'\') />';
?>

But then I thought, instead of doing replaces and checks for special characters, I'll just JSON the entire object.

<?php
echo '<img ... onclick="MP.view('.json_encode($i).') />';
?>

And this provided a much undesired result putting in a ton of double quotation marks. So how should I do this? Should I assign a numerical unique id to every image and just pass the id, and then look up the rest of the data from a JS array?

share|improve this question
    
Why not just pass the URL of the image to view? It would help to know what MP.view does... –  Demian Brecht Jun 13 '11 at 19:27
    
let's say MP.view does something rather complicated where the URL of the image plays a smaller role. Basically I need to pass a ton of data –  Mikhail Jun 13 '11 at 20:05

2 Answers 2

up vote 6 down vote accepted

The correct approach in such cases would be:

 htmlspecialchars(json_encode($var), ENT_QUOTES, "UTF-8")

htmlspecialchars turns any double quotes into the proper HTML escapes, making the resulting string suitable for most attributes. The ENT_QUOTES parameter also takes care of single quotes; but you probably don't need that in your example.

share|improve this answer
    
then the receiving function would receive a string, no? –  Mikhail Jun 13 '11 at 20:04
    
Ehm, no. The escaping is just for validity of the HTML attribute. So double quotes would not conflict with the DOM structure. But the JSON expression you put there can still be an object. The browser takes care to pass the original JSON/object your callback function there. –  mario Jun 13 '11 at 20:06
    
Perfect. This allows me to throw in extra information in the passed object so the function can get away with receiving just one argument –  Mikhail Jun 13 '11 at 20:57
    
you don't need to pass UTF-8 because htmlspecialchars doens't touch non-ascii chars –  dynamic Jun 13 '11 at 21:44

It would take a whole lot less escaping (and fewer bytes) to pass the data something like this:

echo '<script>var myObj = '.json_encode($i).'</script>';

Then, your code could look more like this:

echo '<img ... onclick="MP.view(myObj)" />';
share|improve this answer
    
Still probably best to use htmlspecialchars in that situation, right? –  Frank Farmer Jun 13 '11 at 19:37
    
@Frank: I've never needed it. You may want to wrap it in a CDATA tag, though. –  John Fisher Jun 13 '11 at 19:50
    
what if my code is in a loop? –  Mikhail Jun 13 '11 at 20:03
    
@Mikhail: You can create the script in the loop, too. Just add the index to the name of the object you're creating, then use that in the onclick handler. –  John Fisher Jun 14 '11 at 0:20
    
So then i'm gonna have 200 unique variables, not in an array –  Mikhail Jun 14 '11 at 15:11

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.