JavaScript Return HTML

[Judahnator]

I am making a button, where once pressed displays an alert that contains HTML code.

For example, this will print "hello!"

<button onclick="return confirm('hello!')">

However, this will just make a mess instead of returning the literal "<form method="post"></form>":

<button onclick="return confirm('<form method="post"></form>")>

 

No matter what filters I apply to my HTML code, htmlspecialchars(), addslashes(), etc, I cannot seem to get it to work right.

 

Any ideas?

[Ganz]

Have you tried using the HTML entities for the tags?  E.G. use &lt; for < and &gt; for >

[dannytech357]

5 minutes ago, Ganz said:

Have you tried using the HTML entities for the tags?  E.G. use &lt; for < and &gt; for >

This works, use the code below:

<button onclick="return confirm('<form method=&quot;post&quot;></form>');">

 

[Judahnator]

15 minutes ago, Ganz said:

Have you tried using the HTML entities for the tags?  E.G. use &lt; for < and &gt; for >

 

10 minutes ago, dannytech357 said:

This works, use the code below:

<button onclick="return confirm('<form method=&quot;post&quot;></form>');">

 

Here is my updated code, which still does not work. Maybe im missing something super simple?

 

<a onclick="return confirm('&amp;lt;form method=&amp;quot;post&amp;quot; style=&amp;quot;margin-bottom: 0&amp;quot; action=&amp;quot;https://cartmanager.net/cgi-bin/cart.cgi&amp;quot;&amp;gt;
&amp;lt;table border=&amp;quot;0&amp;quot; cellpadding=&amp;quot;0&amp;quot; cellspacing=&amp;quot;0&amp;quot;&amp;gt;
&amp;lt;tr&amp;gt;
&amp;lt;td colspan=&amp;quot;3&amp;quot; align=&amp;quot;center&amp;quot;&amp;gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;AddItem&amp;quot; value=&amp;quot;quiltersrule|Quilter&amp;#039;s Rule Original Ruler|24.0000|1|||prompt|1&amp;quot;&amp;gt;
&amp;lt;input type=&amp;quot;image&amp;quot; name=&amp;quot;AddGraphic&amp;quot; border=&amp;quot;0&amp;quot; alt=&amp;quot;Add To Cart&amp;quot; src=&amp;quot;https://cartmanager.net/images2/themes/two_tone/add.gif&amp;quot;&amp;gt;
&amp;lt;/td&amp;gt;
&amp;lt;/tr&amp;gt;
&amp;lt;/table&amp;gt;
&amp;lt;/form&amp;gt;')">
   <img src="redacted/modules/inventory/images/preview.png" title="Code" alt="Code" border="0">
</a>

 

[dannytech357]

3 minutes ago, Judahnator said:

 

Here is my updated code, which still does not work. Maybe im missing something super simple?

 

<a onclick="return confirm('&amp;lt;form method=&amp;quot;post&amp;quot; style=&amp;quot;margin-bottom: 0&amp;quot; action=&amp;quot;https://cartmanager.net/cgi-bin/cart.cgi&amp;quot;&amp;gt;
&amp;lt;table border=&amp;quot;0&amp;quot; cellpadding=&amp;quot;0&amp;quot; cellspacing=&amp;quot;0&amp;quot;&amp;gt;
&amp;lt;tr&amp;gt;
&amp;lt;td colspan=&amp;quot;3&amp;quot; align=&amp;quot;center&amp;quot;&amp;gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;AddItem&amp;quot; value=&amp;quot;quiltersrule|Quilter&amp;#039;s Rule Original Ruler|24.0000|1|||prompt|1&amp;quot;&amp;gt;
&amp;lt;input type=&amp;quot;image&amp;quot; name=&amp;quot;AddGraphic&amp;quot; border=&amp;quot;0&amp;quot; alt=&amp;quot;Add To Cart&amp;quot; src=&amp;quot;https://cartmanager.net/images2/themes/two_tone/add.gif&amp;quot;&amp;gt;
&amp;lt;/td&amp;gt;
&amp;lt;/tr&amp;gt;
&amp;lt;/table&amp;gt;
&amp;lt;/form&amp;gt;')">
   <img src="redacted/modules/inventory/images/preview.png" title="Code" alt="Code" border="0">
</a>

 

What are you trying to do? If your goal is to put HTML elements in the confirm, that won't work, they can only display plaintext. If not, your problem is what you are escaping. "&" is the beginning of an HTML entity, which is followed by what you want the character to be. "&amp;" resolves to "&", and "&lt;" resolves to "<". What you have done in the code above is used &amp; which just resolves to "&". If you want to have "<", then use "&lt;". More info on how HTML entities work can be found in this W3Schools article.

[Judahnator]

13 minutes ago, dannytech357 said:

What are you trying to do? If your goal is to put HTML elements in the confirm, that won't work, they can only display plaintext. If not, your problem is what you are escaping. "&" is the beginning of an HTML entity, which is followed by what you want the character to be. "&amp;" resolves to "&", and "&lt;" resolves to "<". What you have done in the code above is used &amp; which just resolves to "&". If you want to have "<", then use "&lt;". More info on how HTML entities work can be found in this W3Schools article.

 

I am making a form generator for work. When someone pushes a button it dynamically generates a html form, which needs to be returned to the user. I thought the simplest way to do this was to have an alert with the raw HTML form in its contents.

I dont want the popup to contain a form, I want it to contain the literal unparsed HTML code.

[Judahnator]

I figured it out. There was an extra single-quote hiding in the string, that even when encoded still caused JS to crap itself. All better now.