1. Home
  2. Forums Index
  3. Browser Side / JavaScript and AJAX 10:25 pm May 13, 2026

Forum Moderators: open

Message Too Old, No Replies

do I need to escapeURI with onclick="document.location=.

         

abersoch windsurfer

5:08 pm on Feb 11, 2011 (gmt 0)

10+ Year Member



Im confused again.

Do I do this: 

<input type="button" onClick="document.location.href='http://www.google.com?foo=1&bar=2'" />


or this: 


<input type="button" onClick="document.location.href='http://www.google.com?foo=1&amp;bar=2'" />

Fotiman

5:21 pm on Feb 11, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



If the value is going to appear within an HTML document (as is the case above), the & needs to be escaped as &amp;. Easy way to test is simply to try validating [validator.w3.org] the page.

A better solution would be to avoid using inline event handlers. Keep a clean separation of content and behavior by putting all JavaScript in external .js file(s). And then attach any event handlers/listeners from within the JavaScript file. For example, you could change the input to:

<input type="button" id="googleButton" />

Then in your JavaScript code: 

var googleButton = document.getElementById('googleButton');
googleButton.onclick = function () {
  document.location.href = 'http://www.google.com?foo=1&bar=2';
};


You would NOT need to escape the & character in this case.

abersoch windsurfer

12:11 pm on Feb 13, 2011 (gmt 0)

10+ Year Member



If the value is going to appear within an HTML document (as is the case above), the & needs to be escaped as &amp


So as inline javascript appears 'within' a HTML document you need to escape the & in that too?

e.g. your function if declared inline would need to be changed to: 

<script type="text/javascript">
var googleButton = document.getElementById('googleButton');
googleButton.onclick = function () {
 document.location.href = 'http://www.google.com?foo=1&amp;bar=2';
};
</script>

daveVk

6:29 am on Feb 15, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



So as inline javascript appears 'within' a HTML document you need to escape the & in that too?


No, for the same reason you dont escape > in
if( a > b ) ...

Note that if you using XHTML then the rules change and your inline script should read


<script type="text/javascript">
<![CDATA[
... unescaped script content ...
]]>
</script>

[webmasterworld.com...]

abersoch windsurfer

5:09 pm on Feb 18, 2011 (gmt 0)

10+ Year Member



Thanks for the help!

The last thing I'm confused about is if you use document.write do you have to &amp; the &

i.e.
document.write("<a href='http://www.blah.com?foo=a&amp;boo=b'

or

document.write("<a href='http://www.blah.com?foo=a&boo=b'


Looking round at websites I see that lots dont use &amp; in any of their links! Which browsers don't work around & in href/src urls - old versions? - the browsers I use don't treat & as an entity indicator in link urls but every now again I get a complaint from someone who is experiencing a problem.

daveVk

10:03 pm on Feb 18, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



As document.write is I assume in script, do not escape the & or the < for that matter. In HTML (not xHTML ) what goes between the script tags if not markup (ie cdata).

If on the other hand you wanted to talk about document.write on your web page (not in script) it would be coded

document.write("&lt;a href='http://www.blah.com?foo=a&amp;boo=b'

Validate your page and any doubt will go away.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Browser Side / JavaScript and AJAX 10:25 pm May 13, 2026