www.webdeveloper.com
Results 1 to 3 of 3

Thread: replace fuction, espace single double quotes.

Hybrid View

  1. #1
    Join Date
    Jun 2007
    Posts
    15

    replace fuction, espace single double quotes.

    Hello,
    I am trying to remove single quotes and double quotes from a string of escaped characters,
    it works with all except for single quotes ' and double quotes "
    this is my code:

    var newstrchanged = strEscaped.replace(/^%22/g, ' '); //does not remove the double quotes

    var newstrchanged = strEscaped.replace(/^%27/g, ' '); //does not remove the single quote

    var newstrchanged = strEscaped.replace(/^%3A/g, ' '); //does remove the SEMI COLON %3A


    thank you for your help

  2. #2
    Join Date
    Feb 2013
    Posts
    46
    strEscaped is not changed in your code. So for example the first time u make newstrchanged it might have the value of strEscaped with no quotes. The second time u make newstrchanged, it will still have quotes, but might not have single-quotes. The reason it still has quotes is because strEscaped isn't changed. The third time newstrchanged should still have quotes and apostrophes, but shouldn't have colons (unicode 003A). So.. That won't work as you expect, but it works as you describe. Here

    Really, that regex shouldn't work to remove more than one thing. When you use the '^' as the first token, it means the string starts with. Are you trying to say "If the string starts with a quote, remove the quote? I think you meant to remove all quotes from the string- seeing as you used 'g' flag. In regular expressions you compare the unicode value using the '\uXXXX' token. So you want these regular expressions and this code:
    Code:
    var patterns = {
      "quote": /\u0022/g,
      "singleQuote": /\u0027/g,
      "colon": /\u003a/g,
      "semi-colon": /\u003b/g
    };
    var str = '"This is a test of what\'s expected":.. ;;;:';
    var newStr = str;
    for (var i in patterns) {
      newStr = newStr.replace(patterns[i], '');
    }
    But really you don't -need- that much code. You can do it in one line:
    Code:
    var newStr = str.replace(/[\u0022\u0027\u003a\u003b]/g, '');
    But, that's not very efficient or convenient. Storing this action in a function named 'escape' is worth-while. In addition, storing the regular expression in a variable will be more efficient.
    Code:
    var escape = (function () {
        var regex = /[\u0022\u0027\u003a\u003b]/g;
        return function escape (str) {
            return str.replace(regex, '');
        }
    }());
    Now there's an escape function. Here's how you would use it:
    Code:
    var str = '"This is a test of what\'s expected":.. ;;;:';
    var newStr = escape(str);
    But that kind of escaping is known as "black-listing" which isn't very secure- as people can find ways to fill cracks that the blacklist didn't think of. White-listing is the opposite. A white-list is a list of allowed characters. For example, if a username only should have letters numbers and underscores, this is the regex to assure that:
    Code:
    var not_legal = /[^a-z0-9_]/ig;
    var user = "$alpha_Omeg-a".replace(not_legal, '');
    // user is 'alpha_Omega'
    Note that '^' when used as the first character inside of the square-brackets [ ], then the '^' changes the character match to anything EXCEPT what is in the brackets [ ]. When '^' is used as the first character in a regular expression in general, though, it means the string must start with the following character(s) in order to match.
    We can drop the 'i' and the ranges because we can target 'word-characters' and 'digits' instead. \w contains upper-case letters, so we no longer need the 'i' (which means 'case-insensitive') if we choose to use the following regex to match illegal user-name chars:
    Code:
    /[^\w\d_]/g
    So, I don't know what you're doing, but white-listing is probably a better idea from what it looks like.

    If you need help with regular expressions, you should consider learning the basics first:
    http://net.tutsplus.com/tutorials/ja...r-expressions/

    The key difference from black-list and white-list.

    Black-List: Allow everything except those in the exception list.
    White-List: Block everything except those in the exception list.

    So, it's easy to tell which is more secure. If you block everything by default, you only need to narrow what should be allowed- which is easier to do- but still, like anything simple, can become complex.

    A concept (such as white-listing or black-listing) does not guarantee security. It only helps.
    Last edited by s-p-n; 03-01-2013 at 07:00 PM.

  3. #3
    Join Date
    Jul 2008
    Location
    urbana, il
    Posts
    2,787
    why not just do something like
    Code:
    escape(
     unescape( str ).replace( /['"]/g, "" )
    )

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles