I posted something about this once before, but having just given myself a headache trying to fix something similar once again I feel like writing some more.
Using the quote delimiter character inside of a quoted string at always a minor problem. There are two ways you can fix it – you can escape the quote using whatever method is valid at the time* or you can change the type of quote delimiter, i.e. you can switch from " to ' or vice-versa. There is a deeper problem though that is only really seen when you are not just embedding a delimiter in a string, but (as seems to be often the case with web development) when you are passing such a string to someone or something else. Say for example you are writing ASP.Net code behind to output a __doPostback where one of the arguments is a string with an embedded delimiter. The string in .Net code will be delimited (say with ") then the argument to __doPostback will also be delimited (say with ') but then the data in that string might contain ' (e.g. O'Neil) which will have to be escaped.
My exact situation this time was slightly more complicated still – I have three levels of indirection! I am in c# code behind, setting the .Text property on a Telerik DataGridItem to be an html anchor tag which will do a postback. So the .Net string is delimited (with " naturally), the onclick of the a tag is delimited (with " also by convention, so escaped for .Net as \"), the argument to the __doPostback function is delimited (with ' because there is no way of escaping nested " characters for html) and finally the data in that argument might have ' characters so it needs to be escaped (by \')! And certain parts need to be UrlEncoded also, but before you put in the \' escaping or else you will UrlEncode the \ character. *Hum*
item[colName].Text = string.Format("<a href=\"#\" onclick=\"__doPostBack('', '{1}{0}{2}')\">{3}</a>", QueryString.PostBackArgSep, postbackType, item[colName].Text.Replace("'", "\\'"), item[colName].Text);
* Mmm, yes. Whatever method is valid at the time. This is not always straight forward with some situations calling for \ to give \' or \", some for a doubling up of the offending character giving '' or "", or even for escaping to be impossible in the current context, leaving you with only the ability to switch delimiters. This last problem with why I try to stick with " as the delimiter most of the time and escaping where required rather than the simpler change to ' so as to save the other character for situations where it is the only method (e.g. html). I think that it is probably possible to get yourself into a situation where there is no possible way to pass the string ‘down the line’ as it were without breaking something. If that happens either you need to encode and decode the whole string somewhere, or admit that you are doing something the hard way and find the right way to do it… I almost think that is what is going on here with my current problem – I think it could be solved by keeping the information that I am passing through to __doPostback somewhere else and just passing a key to it to the code I am calling, but I don’t have the time to do that right now, and this form will be soon superseded by an ASP.Net MVC version.
No comments:
Post a Comment