el expressions and escaping Javascript strings

Hi all,

I use some el expressions to generate some client-side javascript as follows:

<a href="javascript:searchByLastName('${user.lastName}');">${user.lastName}</a> <script> function findByLastName( aLastName ) { //Call server-side search stuff... } </script>

The problem is that some users' last names contain single quotes (e.g. O'Reilly), so I'll need to escape them with \'. Is there any way to do this with el / jstl, so I won't have to write my own custom tag?

There are already Struts tags (the 'nested' tags) in this project, and when they are used to display the name, it appears as "O'Reilly" in the HTML source. This does not seem to be enough for Javascript however, as when I click on the link I get the generic error message "Problems with this page might prevent it from displaying properly..."

I know this isn't the best practice, but I'm trying to maintain someone else's code so I'm stuck with it.

Thanks!
[ January 23, 2006: Message edited by: Bear Bibeault ]

There is nothing built-in to escape Javascript strings.

To solve this I did not rely on custom actions (tags) since they cannot be used in all circumstances (attribute to other actions, for example). Rather, I defined an EL function to do the escaping.

So your example would look like:

<a href="javascript:searchByLastName('${whatever:escapeJS(user.lastName)}');">${user.lastName}</a>

where 'whatever' is the namespace the tld containing the function is mapped to.
[ January 23, 2006: Message edited by: Bear Bibeault ]

Another tip...

I notice that you emit the plain-text last name using:

${user.lastName}

For this, and any other data that is the result of previous user input, I highly recommend using the <c:out> tag rather than plain EL so that the emitted string is HTML-encoded.

Imagine the havoc wrought upon your page should a user enter "</html>" as their last name. Also, not doing you so opens the door for maliciousness via Javascript injection.

In contexts where actions like <c:out> are not possible, the JSTL defines the fn:escapeXml() EL function.
[ January 23, 2006: Message edited by: Bear Bibeault ]

That's excellent, thanks very much. I'll take your advice on using c ut too!