Hidden field value displaying when the text contains double quotes

[DennBen]

(I don't know if this is the correct forum - I'm not sure if the "alt"
in "alt.html" specifies a type of HTML if so please let me know)


I have a dozen or so hidden fields to a form and they are hidden as
they should be, unless the value I assign to them has double quotes,
then the whole value assigned that should be hidden, displays on the
form.

Has anyone encountered this/know why this is happening? I am using
ColdFusion MX7.


myVariable = '"Our values are the backbone of our business"<BR>"This
set of quotes will break it"'


<td width="150" valign="top">
<FORM ACTION="action.cfm?" METHOD="Post">
<INPUT TYPE="Hidden" NAME="Mission" VALUE="#myVariable#">
<input type="image" src="/images/buttons/btn_approve_profile.gif"
width="121" height="19" value="submit" alt="Approve Profile"
border="0">
</FORM>
</td>

Thanks!

 

[John Hosking]

myVariable = '"Our values are the backbone of our business"<BR>"This
set of quotes will break it"'

<FORM ACTION="action.cfm?" METHOD="Post">
<INPUT TYPE="Hidden" NAME="Mission" VALUE="#myVariable#">
<input type="image" src="/images/buttons/btn_approve_profile.gif"
width="121" height="19" value="submit" alt="Approve Profile"
border="0">
</FORM>

Well, this is one of the wildest guesses I've ever pulled out of my, um,
ear, but how about this: use the same delimiters for the parameter
(VALUE="") as in the variable definition (myVariable = ""), and *invert*
the quotes for the variable contents. Or vice-versa, since you want the
passed variable to include double quotes. I mean, try:

myVariable = '"Our values are the backbone of our business"<BR>"This
set of quotes will break it"'
and
<INPUT bla bla VALUE='#myVariable#'>

Then, when the variable's _value_, "Our values yadda hooey... break it"
get dropped into the VALUE parameter (delimited by single quotes)
there's no conflict; you end up with <INPUT bla bla VALUE='"Our values
yadda hooey... break it"'> and the form knows what you want. Does that
work for you?

 

[John Hosking]

Bergamot wrote:

<a message stamped as 1:26 am, some forty minutes before NOW>

Hey, Berg: what time is it where you are?

 

[Bergamot]

I have a dozen or so hidden fields to a form and they are hidden as
they should be, unless the value I assign to them has double quotes

myVariable = '"Our values are the backbone of our business"<BR>"This
set of quotes will break it"'

myVariable = '&quot;Our values are the backbone of our
business&quot;<BR>"Replace quotes with entity names or decimal
references"'

 

[Bergamot]

Bergamot wrote:

<a message stamped as 1:26 am, some forty minutes before NOW>

Hey, Berg: what time is it where you are?

GMT -6

 

[DennBen]

GMT -6

Hey guys, thanks for the input. I did try switching single quotes with
double quotes for kicks - it didn't work, but had it worked it
wouldn't have solved my solution anyway because the users of the site
actually create that variable, I'm just passing the values to a second
screen and the users have the ability to use single quotes as well as
double quotes.
I really want to understand why and how using double quotes in a
variable string can cause a hidden field to display!

 

[Jukka K. Korpela]

Scripsit DennBen:

Hey guys, thanks for the input. I did try switching single quotes with
double quotes for kicks - it didn't work, but had it worked it
wouldn't have solved my solution anyway because the users of the site
actually create that variable, I'm just passing the values to a second
screen and the users have the ability to use single quotes as well as
double quotes.
I really want to understand why and how using double quotes in a
variable string can cause a hidden field to display!

It sounds like you are very confused, and others can't see the situation
clearly either. But apparently you have something (invisible to us)
server-side that gets user input and turns it into hidden fields, _without_
checking for quotation marks in input.

Naturally, before putting anything into the attribute value of an HTML
attribute, you must check whether it contains an ampersand or a quotation
mark and turn such characters into entity or character references.