By Sybab on

I looked around and I think people were facing similar issues with this while using javascript like me and some suggested trying str_replace but it does not work for me, this is a sample code:

	$url = $site->url;
		
               $form['Open'] = array(
		'#title' => t('Open'),
		'#type' => 'button',
		'#value' => t('Open'),
		'#attributes' => array('onclick' => "open('".$url."');"),
		'#description' => t('Open button.'),
		);
         return $form

I tried to do this before getting the form:

                $form = str_replace(''', "'", $form);
		return $form;

But since the $form is in array format the str_replace does not seem to work and anyway the single quote is fine in $form its after drupal process the form that it get gets filtered.

Is there a way to properly show the single quote? Maybe this a beginner question but I searched and did not find any solution. I understand drupal probably does some kind of sanitizing while rendering the form is there a way to bypass it.

Categories: Drupal 7.x

Comments

goofus’s picture

goofus commented

Hello,
If I understand you correctly, what you want to do is "escape' single quotes. All you have to do is replace 'with \'.

So your code:

'#attributes' => array('onclick' => "open('".$url."');"),

changes to:

'#attributes' => array('onclick' => "open(\'".$url."\');"),

Thinking is the best way to travel :)

Sybab’s picture

Sybab commented

thanks for the reply goofus but the single quote shows normally in the $form for instance if I print_r($form) I would get the arrays well format with single quotes my guess is that drupal form processing does that. maybe I should drop using Drupal Form API for what I'm doing but it would come in hand if I could accomplish the single quote not being filtered. maybe its an easy implementation but im not sure how, probably would have to change some things in the core but not sure where to start.

goofus’s picture

goofus commented

Hello,
Another idea. Why not use the "#attached" attribute described in the Form API http://api.drupal.org/api/drupal/developer!topics!forms_api_reference.html/7#attached

Something like:

$js = "YOUR JS CODE";
$form_element['#attached']['js'][] = array('data' => $js, 'type' => 'inline');

Thinking is the best way to travel :)

Sybab’s picture

Sybab commented

It works to add the function to the html output. And by the way, open('http://www.mywebsite.com') points to a jquery ajax "GET" function, added via drupal_add_js. the reason I wanted the onclick attribute is because I want to run that function when someone clicks the button.

Using your code I get this in the html output:

<script type="text/javascript">
<!--//--><![CDATA[//><!--
open('http://www.mywebsite.com');
//--><!]]>
</script>

the onclick functionallity could be added in some way by modifying what the $js does in the example you gave.

but maybe im better off using something like this, which does what I need:

        $output = '"open(';
        $output .= "'";
	$output .= 'http://www.mywebsite.com';
        $output .= "');";
	$output .= '"><button>Open</button></a>';
        return $output

But its not very nice. The Drupal Form API would be better.

Thanks for all the Help.

goofus’s picture

goofus commented

Hello,
I inferred but didn't say explicitly you would alter your js code. You would change your js to a jquery call. Select your element (button) with jquery $("#BUTTON_ID").click(function() { YOUR CODE .... . You would thus be using Jquery's unobtrusive approach (their term, not mine :) ).

Also, that is the Drupal Form API?? I didn't understand what you meant by " The Drupal Form API would be better." ?? You should be either creating the form in a form definition method or altering a form with the hook_form_alter implementation. You should be housing your code in a Drupal module :)

Does that make sense :)

Thinking is the best way to travel:)

Sybab’s picture

Sybab commented

I got it all working with the unobtrusive approach. Yes I do have a module for the code what i meant by drupal form api is using arrays to define and render a form instead of writing html code. I'm creating a form from scratch not altering a existing one. once again thanks for all the help goofus :)

goofus’s picture

goofus commented

Hello,
No problem :) Happy to have helped: )

Please edit your original post and add a "[SOLVED]" at the beginning of the subject line :) That way, other folks can find the solution.

Again, great work !! Thanks for your patience!
Thinking is the best way to travel.

heine’s picture

heine commented

This shouldn't be a problem.

The entity &#039; will be interpreted by the HTML parser before any JS sees it. All JS sees is a single quote. If "it doesn't seem to work", try window.open or simplify with 'alert'.

Note that you will need to escape $url for use in a javascript context. If you don't, a user can inject additional JS.

Sybab’s picture

Sybab commented

I will try to see how your suggestions work. Well the $url is a link retrieved from the database it does not come from any user input. when the user clicks the button however it will retrieve information from the said url by Ajax and while processing there I will probably need to do the escaping to avoid injection, like you said. thanks.