Pass a PHP string to a JavaScript variable and escape newlines

Question

What is the easiest way to encode a PHP string for output to a JavaScript variable   I have a PHP string which includes quotes and newlines   I need the contents of this string to be put into a JavaScript variable   Normally  I would just construct my JavaScript in a PHP file     la    lt script gt    var myvar     lt  php echo  myVarValue   gt     lt  script gt    However  this doesn t work when  myVarValue contains quotes or newlines

User · Answer

You could try   lt script type  text javascript  gt      myvar   unescape   lt   rawurlencode  myvar   gt      lt  script gt

User · Answer

Don t run it though addslashes    if you re in the context of the HTML page  the HTML parser can still see the  lt  script gt  tag  even mid-string  and assume it s the end of the JavaScript    lt  php      value    XXX lt  script gt  lt script gt alert document cookie   lt  script gt      gt    lt script type  text javascript  gt      var foo    lt    json encode  value    gt      Use this     var foo     lt    addslashes  value    gt       Avoid  allows XSS   lt  script gt

User · Answer

You can insert it into a hidden DIV  then assign the innerHTML of the DIV to your JavaScript variable  You don t have to worry about escaping anything  Just be sure not to put broken HTML in there

User · Answer

function escapeJavaScriptText  string        return str replace   n     n   str replace            addcslashes str replace   r        string  string     0   37

User · Answer

Don   t  Use Ajax  put it in data-  attributes in your HTML  or something else meaningful  Using inline scripts makes your pages bigger  and could be insecure or still allow users to ruin layout  unless        you make a safer function   function inline json encode  obj        return str replace   lt  --     lt   --   json encode  obj

User · Answer

Micah s solution below worked for me as the site I had to customise was not in UTF-8  so I could not use json  I d vote it up but my rep isn t high enough   function escapeJavaScriptText  string          return str replace   n     n   str replace            addcslashes str replace   r        string  string     0   37

User · Answer

I m not sure if this is bad practice or no  but my team and I have been using a mixed html  JS  and php solution  We start with the PHP string we want to pull into a JS variable  lets call it    someString   Next we use in-page hidden form elements  and have their value set as the string    lt form id  pagePhpVars  method  post  gt   lt input type  hidden  name  phpString1  id  phpString1  value     someString      gt   lt  form gt    Then its a simple matter of defining a JS var through document getElementById    lt script type  text javascript  charset  UTF-8  gt      var moonUnitAlpha   document getElementById  phpString1   value   lt  script gt    Now you can use the JS variable  moonUnitAlpha  anywhere you want to grab that PHP string value  This seems to work really well for us  We ll see if it holds up to heavy use

User · Answer

Expanding on someone else s answer    lt script gt    var myvar    lt  php echo json encode  myVarValue     gt    lt  script gt    Using json encode   requires    PHP 5 2 0 or greater  myVarValue encoded as UTF-8  or US-ASCII  of course    Since UTF-8 supports full Unicode  it should be safe to convert on the fly   Note that because json encode escapes forward slashes  even a string that contains  lt  script gt  will be escaped safely for printing with a script block

User · Answer

lt script gt  var myVar    lt  php echo json encode  myVarValue     gt    lt  script gt    or   lt script gt  var myVar    lt    json encode  myVarValue    gt    lt  script gt

User · Answer

I have had a similar issue and understand that the following is the best solution    lt script gt      var myvar   decodeURIComponent   lt  php echo rawurlencode  myVarValue     gt      lt  script gt    However  the link that micahwittman posted suggests that there are some minor encoding differences  PHP s rawurlencode   function is supposed to comply with RFC 1738  while there appear to have been no such effort with Javascript s decodeURIComponent

User · Answer

encode it with JSON

User · Answer

I have had a similar issue and understand that the following is the best solution    lt script gt      var myvar   decodeURIComponent   lt  php echo rawurlencode  myVarValue     gt      lt  script gt    However  the link that micahwittman posted suggests that there are some minor encoding differences  PHP s rawurlencode   function is supposed to comply with RFC 1738  while there appear to have been no such effort with Javascript s decodeURIComponent

User · Answer

If you use a templating engine to construct your HTML then you can fill it with what ever you want   Check out XTemplates  It s a nice  open source  lightweight  template engine   Your HTML JS there would look like this    lt script gt      var myvar     MyVarValue    lt  script gt

User · Answer

The paranoid version  Escaping every single character   function javascript escape  str       new str           str len   strlen  str     for  i   0   i  lt   str len   i           new str       x    sprintf   02x   ord substr  str   i  1            return  new str      EDIT  The reason why json encode   may not be appropriate is that sometimes  you need to prevent   to be generated  e g     lt div onclick  alert         gt

User · Answer

htmlspecialchars  Description  string htmlspecialchars   string  string    int  quote style    string  charset    bool  double encode         Certain characters have special significance in HTML  and should be represented by HTML entities if they are to preserve their meanings  This function returns a string with some of these conversions made  the translations made are those most useful for everyday web programming  If you require all HTML character entities to be translated  use htmlentities   instead   This function is useful in preventing user-supplied text from containing HTML markup  such as in a message board or guest book application   The translations performed are       amp    ampersand  becomes   amp amp          double quote  becomes   amp quot   when ENT NOQUOTES is not set         single quote  becomes   amp  039   only when ENT QUOTES is set      lt    less than  becomes   amp lt       gt    greater than  becomes   amp gt     http   ca php net htmlspecialchars

[php] Pass a PHP string to a JavaScript variable (and escape newlines)

Examples related to php

Examples related to javascript

Examples related to escaping

Examples related to newline