1

I need to be able to access strings held in my C# code in JavaScript. To test, I have tried displaying a message box with the C# string in JavaScript (I am using this string literal and the message box as an example scenario):

alert(<%: "TEST" %>);

When this code runs, no message box is displayed. On the other hand, a message box is displayed with this code:

alert(<%: 6 %>);

Why is it that I can use integers but not strings? Is there any way around this?

Thanks.

Improve this question
0

3 Answers 3

Reset to default
5

You need to add quotes around the string; otherwise, the browser sees alert(TEST);, which is incorrect. To prevent cross-site scripting attacks, you also need to properly escape special characters. Calling HttpUtility.JavaScriptStringEncode lets you do both:

alert(<%= HttpUtility.JavaScriptStringEncode("TEST", true) %>);

Note: If this JavaScript snippet appears inside an HTML attribute like onclick, you may need to change <%= to <%: so that the double quotes are also HTML encoded.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Why is it that I can use integers but not strings?

Because you need to put strings in quotes:

alert("<%: "TEST" %>");

The key here, as always, is to look at what the browser actually receives. With your original code, what the browser sees is:

alert(TEST);

...which is trying to use the variable TEST, not a literal string.

Now in the above, I've assumed the string won't have any " in it or other things that aren't valid within a JavaScript string literal. That's not usually a good assumption to make.

If you're using a recent version of .Net or using JSON.Net (see this question for details), you can output the string using a JSON serializer, which will ensure that anything within it that may be problematic is properly encoded/escaped. For instance, with JSON.Net, you might use:

// With JSON.Net
alert(<%: JsonConvert.ToString("TEST") %>);

// With a recent version of .Net
alert(<%: HttpUtility.JavaScriptStringEncode("TEST", true) %>);
Improve this answer

Comments

0

The problem is in how this translates into JavaScript:

alert(<%: "TEST" %>);

becomes 

alert(TEST);

This is a problem because it assumes there is a variable named TEST that you'd like to display the value of, but most likely, TEST is undefined. What you probably want to do is this:

alert('<%: "TEST" %>');

But since this is MVC 4, you can use the Json.Encode method to be a little cleaner, like this:

alert(<%: Json.Encode("TEST") %>);

Both of thse will translate to

alert('TEST');

This should display a message box with the string 'TEST'.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.