View comments | RSS feed

JSStringFormat

Description

Escapes special JavaScript characters, such as single-quotation mark, double-quotation mark, and newline.

Returns

A string that is safe to use with JavaScript.

Category

String functions

Function syntax

JSStringFormat(string)

Parameters

Parameter Description

string

A string or a variable that contains one.

Usage

Escapes special JavaScript characters, so you can put arbitrary strings safely into JavaScript.

Example

<!--- This example shows the use of the JSStringFormat function. ---->
<h3>JSStringFormat</h3>
<cfset stringValue = "An example string value with a tab chr(8), 
a newline (chr10) and some ""quoted"" 'text'">

<p>This is the string we have created:<br>
<cfoutput>#stringValue#</cfoutput>
</p>
<cfset jsStringValue = JSStringFormat(#stringValue#)>
<!----- Generate an alert from the JavaScript string jsStringValue. ---->
<SCRIPT>
s = "<cfoutput>#jsStringValue#</cfoutput>";
alert(s); 
</SCRIPT>

ColdFusion Functions

ColdFusion 9 | ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | KnowledgeBase | Bug Reporting

Version 7

Comments


MikerRoo said on May 24, 2005 at 8:05 PM :
The example is slightly off.
A tab is chr (9), backspace is chr(8).

This might be a better example:
<!--- This example shows the use of the JSStringFormat function. ---->
<CFOUTPUT>
<h3>JSStringFormat</h3>
<cfset stringValue = "An example string value with a tab#chr(9)# chr(9),
a newline#chr(10)# (chr10) and some ""quoted"" 'text'">

<p>
This is the string we have created:<br>
#stringValue#
</p>
<p>
View the HTML source to verofy that the control characters are indeed there.
</p>

<cfset jsStringValue = JSStringFormat (#stringValue#)>

<!----- Generate an alert from the JavaScript string jsStringValue. ---->
<SCRIPT>
s = "#jsStringValue#";
alert (s);
</SCRIPT>
</CFOUTPUT>
Alexander Bunkenburg said on May 26, 2005 at 1:52 AM :
How about making "A string that is safe to use with JavaScript." more precise? Something like:

"A String that is safe to use within a JavaScript literal string."

That means that all chars that could end a JavaScript literal string are escaped, for example single and double quotes.

I propose extending JSStringFormat: The chars "</script>" are acceptable within a literal string, but are not safe. Example:
<cfscript>
x = "</script><script>alert(document.cookie)</script>";
x = JSStringFormat(x);
</cfscript>
<cfoutput>
<script>alert("Hola #x#")</script>

Resulting html:
<script>alert("Hola</script><script>alert(document.cookie)</script>")</script>

Other html tags can be used too. I propose that JSStringFormat additionally substitute '<' by '003C'.

I also propose giving the complete list of substitutions that JSStringFormat does on this page, as there was in the livedocs for ColdFusion 6.0 version.

 

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/7/htmldocs/00000543.htm