[Web-SIG] JavaScript escape function

[Donovan Preston]

On Apr 26, 2005, at 1:19 AM, Jp Calderone wrote:

>
>  Nevow has liveevil.jquote(), which I believe does what you want.   
> It is strikingly simple and straightforward:
>
>    def jquote(jscript):
>        return jscript.replace('\\', '\\\\'
>            ).replace("'", "\\'"
>            ).replace('\n', '\\n')
>
>  I wonder if it isn't buggy somehow :)  I don't know javascript  
> well enough myself to say either way.

This is for explicitly quoting strings for inclusion in a javascript  
function call which is being built, which is why it is quoting '

For example:

nevow_clientToServerEvent('identifier', 'hello(\'world\')')

The second argument would have been a python string which looked like  
this, which was then run through jquote before being used to build  
the nevow_clientToServerEvent call:

"hello('world')"

To apply this to jj's original example, assigning a javascript string  
to a javascript variable, use single quotes around the call to  
jquote, or switch jquote to quote " instead of '

var s = '$jquote($s)'

Leaving it up to the developer to ensure every potentially unsafe  
python string is quoted properly always makes me nervous. Nevow has  
enough information to automatically safely quote strings inserted in  
html, html attribute, and URL contexts, but isn't currently smart  
enough to know much about javascript and javascript string quoting  
contexts. livepage will try to quote things properly for you if you  
are using livepage.handler (which uses jquote as shown above) but  
it's pretty easy to fool, because nevow doesn't yet know enough about  
JavaScript to really be safe. I hope to add some additional  
intelligence soon to cover this, and perhaps also to cover CSS contexts.

dp