Escaping single quotes in JavaScript string for JavaScript evaluation

Question

I have a project, in which some JavaScript var is evaluated. Because the string needs to be escaped (single quotes only), I have written the exact same code in a test function. I have the following bit of pretty simple JavaScript code:

function testEscape() {
    var strResult = "";
    var strInputString = "fsdsd'4565sd";

    // Here, the string needs to be escaped for single quotes for the eval 
    // to work as is. The following does NOT work! Help!
    strInputString.replace(/'/g, "''");

    var strTest = "strResult = '" + strInputString + "';";
    eval(strTest);
    alert(strResult);
}

And I want to alert it, saying: fsdsd'4565sd.

A relatively safer approach may be var strResult=eval("("+strInputString+")");. Also, STRING is immutable, so string.replace() returns the replaced result, not modify the string. — Passerby
– Passerby, Commented Feb 26, 2013 at 11:15

SharpC · Accepted Answer · 2016-11-28 11:13:33Z

120

The thing is that .replace() does not modify the string itself, so you should write something like:

strInputString = strInputString.replace(...

It also seems like you're not doing character escaping correctly. The following worked for me:

strInputString = strInputString.replace(/'/g, "\\'");

edited Nov 28, 2016 at 11:13

SharpC

7,5544 gold badges53 silver badges45 bronze badges

answered Feb 26, 2013 at 11:20

Nikita Tkachenko

2,1461 gold badge16 silver badges23 bronze badges

Sign up to request clarification or add additional context in comments.

5 Comments

Stepan Over a year ago

For the remaining ActionScript mohicans out there, this works: var greet:String = "l'advancement"; greet = greet.split("'").join("\\'"); ExternalInterface.call("function(){console.log('" + greet + "')}");

Kev Over a year ago

Note that if there is a backslash in the original text, this may not work.

Skeets Over a year ago

As already mentioned, this doesn't work in all scenarios. Look at kev's answer below, it will work everytime.

RedDragonWebDesign Over a year ago

This doesn't escape backslashes, which would allow \' to go unescaped and terminate the string early. I recommend switching the wrapper to double quotes and using the JSON.stringify() answer below.

Steve Chambers Over a year ago

Here is a modified version that will only escape single quotes that are not already escaped.

Kev · Accepted Answer · 2019-10-16 18:23:13Z

17

Best to use JSON.stringify() to cover all your bases, like backslashes and other special characters. Here's your original function with that in place instead of modifying strInputString:

function testEscape() {
    var strResult = "";
    var strInputString = "fsdsd'4565sd";

    var strTest = "strResult = " + JSON.stringify(strInputString) + ";";
    eval(strTest);
    alert(strResult);
}

(This way your strInputString could be something like \\\'\"'"''\\abc'\ and it will still work fine.)

Note that it adds its own surrounding double-quotes, so you don't need to include single quotes anymore.

edited Oct 16, 2019 at 18:23

answered Dec 21, 2018 at 7:51

Kev

16.5k18 gold badges83 silver badges116 bronze badges

5 Comments

Kev Over a year ago

@RobertMoskal Care to provide details? (I'm assuming you defined strInputString somewhere before running the above snippet, per OP's context...)

Robert Moskal Over a year ago

I missed the eval. That does seem extreme!

Kev Over a year ago

@RobertMoskal Fair enough...if you were the one who downvoted me, would you mind undoing it? :)

Robert Moskal Over a year ago

I can't unless you edit it. You might point out that your answer requires an eval.

Kev Over a year ago

@RobertMoskal OK, done. Thanks! (Note though that the eval was/is part of the OP, not my idea. I copied the OP's function here, cut a line, and changed the var strTest line for clarity.)

William Desportes · Accepted Answer · 2020-03-26 07:10:07Z

2

Only this worked for me:

searchKeyword.replace(/'/g, "\\\'");//searchKeyword contains "d'av"

So, the result variable will contain "d\'av".

I don't know why with the RegEx didn't work, maybe because of the JS framework that I'm using (Backbone.js)

edited Mar 26, 2020 at 7:10

William Desportes

1,7943 gold badges26 silver badges40 bronze badges

answered Jul 3, 2019 at 14:50

João Ox Oc

737 bronze badges

Comments

YziGer · Accepted Answer · 2016-03-11 22:33:18Z

1

I agree that this var formattedString = string.replace(/'/g, "\\'"); works very well, but since I used this part of code in PHP with the framework Prado (you can register the js script in a PHP class) I needed this sample working inside double quotes.

The solution that worked for me is that you need to put three \ and escape the double quotes. "var string = \"l'avancement\"; var formattedString = string.replace(/'/g, \"\\\'\");"

I answer that question since I had trouble finding that three \ was the work around.

answered Mar 11, 2016 at 22:33

YziGer

395 bronze badges

Comments

Khushboo Tahir · Accepted Answer · 2020-11-18 09:56:09Z

1

That worked for me.

string address=senderAddress.Replace("'", "\\'");

answered Nov 18, 2020 at 9:56

Khushboo Tahir

68710 silver badges9 bronze badges

Comments

Raju Kumar Shah · Accepted Answer · 2020-09-14 09:10:06Z

0

There are two ways to escaping the single quote in JavaScript.

1- Use double-quote or backticks to enclose the string.

Example: "fsdsd'4565sd" or `fsdsd'4565sd`.

2- Use backslash before any special character, In our case is the single quote

Example:strInputString = strInputString.replace(/ ' /g, " \\' ");

Note: use a double backslash.

Both methods work for me.

edited Sep 14, 2020 at 9:10

answered Sep 14, 2020 at 9:04

Raju Kumar Shah

12 bronze badges

1 Comment

publicdomain Over a year ago

Welcome to SO! Please do not provide late answers to questions that have been answered many times before that, unless you have something new to add, that other answers fail at. Also add code boxes to your code ^^

Hari · Accepted Answer · 2020-11-12 11:13:48Z

0

var str ="fsdsd'4565sd"; str.replace(/'/g,"'")

This worked for me. Kindly try this

answered Nov 12, 2020 at 11:13

Hari

316 bronze badges

Comments

Steve Chambers · Accepted Answer · 2022-10-30 09:02:20Z

0

The regular expression in the following code also handles the possibility of escaped single quotes in the string - it will only prepend backslashes to single quotes that are not already escaped:

strInputString = strInputString.replace(/(?<!\\)'/g, "\\'");

Demo: https://regex101.com/r/L1lF7J/1

Compatibility

The regex above uses negative lookbehind, which is widely supported but if using an older Javascript version, this clunkier regex (which uses a capturing group backreference instead) will also do the job:

strInputString = strInputString.replace(/(^|[^\\])'/g, "$1\\'");

Demo: https://regex101.com/r/9niyYw/1

edited Oct 30, 2022 at 9:02

answered Oct 30, 2022 at 8:14

Steve Chambers

39.8k29 gold badges179 silver badges222 bronze badges

Comments

Max Hudson · Accepted Answer · 2023-04-11 19:14:43Z

0

For anyone who is here for something other than eval use, a single backslash may be what you're looking for - which is apparently hard to achieve with the native js replace:

"asdf'asdf'".replace(/'/g, `\\'`); 
=>
"asdf\\'asdf\\'"

We were able to use lodash to get the desired result

_.replace("asdf'asdf'", /'/g, `\\'`); 
=> 
"asdf\'asdf\'"

answered Apr 11, 2023 at 19:14

Max Hudson

10.2k15 gold badges61 silver badges111 bronze badges

Comments

Community · Accepted Answer · 2016-02-19 07:54:31Z

-2

strInputString = strInputString.replace(/'/g, "''");

edited Feb 19, 2016 at 7:54

CommunityBot

11 silver badge

answered Feb 17, 2016 at 0:42

Karthik G

151 silver badge5 bronze badges

Collectives™ on Stack Overflow

Escaping single quotes in JavaScript string for JavaScript evaluation

10 Answers 10

5 Comments

5 Comments

Comments

Comments

Comments

1 Comment

Comments

Compatibility

Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

10 Answers 10

5 Comments

5 Comments

Comments

Comments

Comments

1 Comment

Comments

Compatibility

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related