Strategies for escaping special characters.

Hi all,
Our app(built using Workshop) needs to have a generic way of scrubbing special
characters that a user might enter in the UI,and which might cause our sql that
queries the DB to become malformed. To explain further,some of our DB controls
are not using PreparedStatements to set Strings..instead, we are constructing
the sql as a java string like:
String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
and then we do:
Statement stmt=conn.createStatement();
stmt.executeQuery(myQuery).
In such cases, Oracle JDBC driver does not escape any special chars in the String
param,and fails.Other than converting all our queries to use PreparedStatements,
is there a generic pattern/Util class(mebbe RequestUtils) or some way of using
the Servlet Filter API to scrub out any special chars that are input by the user?
Thanks in advance.
Vik.

ServletFilter is the way to go on this one. Don't think there is anything built
into Servlet spec that handles these characters, however, there are a number of
sample filters that do such a task. I think there is a sample in either the O'Reilly
book on Servlets or Core Servlets.
"Vik" <[email protected]> wrote:
>
Hi all,
Our app(built using Workshop) needs to have a generic way of scrubbing
special
characters that a user might enter in the UI,and which might cause our
sql that
queries the DB to become malformed. To explain further,some of our DB
controls
are not using PreparedStatements to set Strings..instead, we are constructing
the sql as a java string like:
String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
and then we do:
Statement stmt=conn.createStatement();
stmt.executeQuery(myQuery).
In such cases, Oracle JDBC driver does not escape any special chars in
the String
param,and fails.Other than converting all our queries to use PreparedStatements,
is there a generic pattern/Util class(mebbe RequestUtils) or some way
of using
the Servlet Filter API to scrub out any special chars that are input
by the user?
Thanks in advance.
Vik.

Similar Messages

SQL Injections and XSS - Escaping Special Characters

Hi, hope someone can help in regards to security and SQL Injections and XSS.
We are using APEX 4.0.2 on Oracle 11.2.0.2.
1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
Surely I don't have to manually do each of then.
Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&<>' in session state and/or the database ?
2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
Thx
Nigel

Recx Ltd wrote:
Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
Apex applications that share the database with other applications will also be affected.
The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use—see 6(j).
Promotional posts like this are liable to be removed by the moderators.

RegExp for excluding special characters in a string.

Hi All,
Im using Flex RegExpValidator. Can anyone suggest me the correct expression to validate this condition?....
I have tried this expression :----- /^[^///\/</>/?/*&]+$/...But in this it is also negating the alphabets.Also I have tried with opposite condition that in the String we should have alphabets and the expression is:-- ([a-z]|[A-Z]|[0-9]|[ ]|[-]|[_])*..... Please can anyone help me on this.
Thanks in advanced to all.
Munira

sorry but you are posting things back that do not make any sense
what do you mean with the below comment?
munira06 wrote:
Yes you are correct ,but I have tried this with single special character
say
Re: RegExp for excluding special characters in a string.
here is a sample app taken from the live docs
using ^[a-zA-Z0-9 \-_]*$ as the regex accepts all characters from a-z, A-Z, 0-9 - [space] and_
run the example tell me what regex you are using and what test strings fail when they should pass or pass when they should fail
<?xml version="1.0" encoding="utf-8"?>

<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
        xmlns:s="library://ns.adobe.com/flex/spark"
        xmlns:mx="library://ns.adobe.com/flex/mx">
    <fx:Script>
        <![CDATA[
            import mx.events.ValidationResultEvent;
            import mx.validators.*;
            // Write the results to the
            private function handleResult(eventObj:ValidationResultEvent):void {
                if (eventObj.type == ValidationResultEvent.VALID) {
                    // For valid events, the results Array contains
                    // RegExpValidationResult objects.
                    var xResult:RegExpValidationResult;
                    reResults.text = "";
                    for (var i:uint = 0; i < eventObj.results.length; i++) {
                        xResult = eventObj.results[i];
                        reResults.text=reResults.text + xResult.matchedIndex + " " + xResult.matchedString + "\n";
                } else {
                    reResults.text = "";
        ]]>
    </fx:Script>
    <fx:Declarations>
        <mx:RegExpValidator id="regExpV"
                source="{regex_text}" property="text"
                flags="g" expression="{regex.text}"
                valid="handleResult(event)"
                invalid="handleResult(event)"
                trigger="{myButton}"
                triggerEvent="click"/>
    </fx:Declarations>
    <s:Panel title="RegExpValidator Example"
            width="75%" height="75%"
            horizontalCenter="0" verticalCenter="0">
        <s:VGroup left="10" right="10" top="10" bottom="10">
            <s:Label width="100%" text="Instructions:"/>
            <s:Label width="100%" text="1. Enter text to search. By default, enter a string containing the letters ABC in sequence followed by any digit."/>
            <s:Label width="100%" text="2. Enter the regular expression. By default, enter ABC\d."/>
            <s:Label width="100%" text="3. Click the Button control to trigger the validation."/>
            <s:Label width="100%" text="4. The results show the index in the text where the matching pattern begins, and the matching pattern. "/>
            <mx:Form>
                <mx:FormItem label="Enter text:">
                    <s:TextInput id="regex_text" text="xxxxABC4xxx" width="100%"/>
                </mx:FormItem>
                <mx:FormItem label="Enter regular expression:">
                    <s:TextInput id="regex" text="ABC\d" width="100%"/>
                </mx:FormItem>
                <mx:FormItem label="Results:">
                    <s:TextInput id="reResults" width="100%"/>
                </mx:FormItem>
                <mx:FormItem >
                    <s:Button id="myButton" label="Validate"/>
                </mx:FormItem>
            </mx:Form>
        </s:VGroup>
    </s:Panel>
</s:Application>

Escape special characters in url for redirection

In my web page, I want all the characters of the URL to be lower case. For that I created the following method:
private bool UrlFormatoCorrecto(string url)
bool formatoCorrecto = true;
bool upperCa = url.Any(c => char.IsUpper(c));
if (url.Any(c => char.IsUpper(c)))
formatoCorrecto = false;
if (url.Contains(" ") || url.Contains("+"))
formatoCorrecto = false;
return formatoCorrecto;
This works like a charm until a special character appears. The url that I get then will be the following:
http://localhost/web/coches/proven%C3%A7a-aribau,-08036-barcelona,-barcelona
So I have upper case characters. When I redirect it using the following code:
if (!UrlFormatoCorrecto(urlActual))
Response.RedirectPermanent(urlActual.Replace(" ", "-").Replace("+", "-").ToLower());
I get the code again with the same URL with upper case. How can I escape the special characters so they won't bother me anytime I want to make the redirection?

hello,
you could escape special caracters with :
Regex.Escape Method
Regards
Cédric

Escape special characters for OData response

Hi all,
I'm facing a problem on HTTP response when some special characters are in my entity fields.
For example I've got a Edm.String field which has characters like ###, ", < (two number signs ## are ok, but three invoke an error)
When I set output format to xml via URI parameter $format=xml, I get following error:
<message xml:lang="en">In the context of Data Services an unknown internal server error occured</message>
Exception /IWCOR/CX_DS_INTERNAL_ERROR in class /IWCOR/CL_DS_EP_WRITER_OUTPUT method /IWCOR/IF_DS_EP_WRITER_OUTPUT~WRITE and Line 39
If I use JSON as output format, HTTP response code is 200!!, but payload just ends on the character which cannot be interpreted:
(ABAP)-JSON generator can handle double quotes much better than XML format:
How can I escape these output strings, without adding chars which will appear in response payload?
Thanks,
Steffen

Hi Uwe & Ron,
thanks for your ideas, but maybe we're not talking about binary data?! This field is an example from TADIR table.
OData entity definition for this field:
Versid
Edm.String
0
0
20
ABAP field definition:
Data Type        CHAR - Character String
No. Characters       20
Decimal Places        0
Output Length        20
Convers. Routine    <empty>
Uwe did you mean another debugger view?
SE16 output for this line:
What if I want to store and receive data with these special chars like ####, ", <, >,... in a ABAP char field (respective OData Edm.String)?
Thanks,
Steffen

How to escape special characters in Simple Transformation

Hi Experts,
I have got a problem to get a well formed xml document from the below simple transformation. The content of maktx contains
special characters like & <, which are not allowed in a well formed XML-Document. But the result of the Simple Transformation
contains this charcters even after the transformation as you can the in the result below. Has anyone a hint how to escape the
characters included in the maktx.
The transformation for maktx, should be something like
Before: Material & < TEST
After: Material &amp &lt TEST
Report wihich calls the simple transformation
types:
BEGIN OF t_mat,
   matnr type matnr,
   maktx type maktx,
end of t_mat.
Data:
mat type t_mat,
xml_stream type xstring.
START-OF-SELECTION.
mat-matnr = '4711'.
mat-maktx = 'Material & < Test'.
CALL TRANSFORMATION ztest_st2
        SOURCE mat = mat
        RESULT XML xml_stream.
CALL FUNCTION 'DISPLAY_XML_STRING'
EXPORTING xml_string = xml_stream.
Simple Transformation
<?sap.transform simple?>
<tt:transform xmlns:tt="http://www.sap.com/transformation-templates">
<tt:root name="MAT"/>
<tt:template>
    <Leistungsschild>
        <CHARACT> MATNR </CHARACT>
        <CHARACT_DESCR> Materialnummer </CHARACT_DESCR>
        <VALUE tt:value-ref="MAT.MATNR"/>
        <CHARACT> MAKTX </CHARACT>
        <CHARACT_DESCR> Materialkurztext </CHARACT_DESCR>
        <VALUE tt:value-ref="MAT.MAKTX" />
    </Leistungsschild>
</tt:template>
</tt:transform>
RESULT
<?xml version="1.0" encoding="utf-8" ?>
<Leistungsschild>
<CHARACT>MATNR</CHARACT>
<CHARACT_DESCR>Materialnummer</CHARACT_DESCR>
<VALUE>4711</VALUE>
<CHARACT>MAKTX</CHARACT>
<CHARACT_DESCR>Materialkurztext</CHARACT_DESCR>
<VALUE>Material & < Test</VALUE>   </Leistungsschild>

Hi Sandra,
First of all thaks for your quick answer to my problem.
I see what you mean and get the same result, if I am using data-type string instead of xstring. But the recommendation in the XML-Books of SAP is to use XSTRING to save memory and circumflex problems between Codepages, when writing the XML-Stream to a filesystem.
As you can see in the code abvoe I am using a SAP-FM to display the XML-Stream and this FM works only with XSTRING´s,
that is one reason why I don´t understand that it displays it in the wrong way.
Even the Debugger shows me for the XSTRING the wrong result. Does all that mean that the escaping will not be applyed if you are working with XSTING´s??

Print preview for the special characters / symbols

While displaying print preview / taking print output using QGA3 Transaction with developed Z SAPScript form specified as one of the parameters(say for example ZARMEXP), the special characters / symbols like u2018∆u2019 are displayed as u2018#u2019 in the print preview / print output . Of course similar problem had existed for Lambda Symbol u2018u03BBu2019., but it was resolved by using the font type Helve_I7. But for the symbol u2018∆u2019 we checked with almost all the fonts that were available in the system, but of not much use. Hence could you kindly provide us solution(s) that would resolve this issue.

Hi ,
Can you please check language are installed properly in sap check with basis people. then try to print it will work.
when ever language are not maintin properly , the characters or symbols are not print properly.
Regars,
Munibabu.k

Regexp for exclude special characters

hi!
i need a regular expression, which allows all chars and digits [A-Za-z0-9], without special characters like []@.
anyone can help me? thx!
bye,
christian

Hello Christian,
first throw of mine would look like something of this:
^[A-Za-z0-9]*$^ gives you the start
$ gives you the ending
* gives you zero or more repititions. You can replace this with {min,max}, which gives you a minimum and maximum length.
If you would like to know more about regular expressions this link might be useful for you.
Regards,
Tine

Howto escape special characters if using regexp_replace & regexp_substr

hello experts,
following test case
insert into querytest1 (d) values
('#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11');
select regexp_replace(d, REGEXP_SUBSTR (REGEXP_SUBSTR(d, '[^ ]+', 1, 1), '[^:]+', 1, 2 ),'') from querytest1;
ERROR at line 1:
ORA-12726: unmatched bracket in regular expression
proof that []{} special characters are the problem:
delete from querytest1;
commit;
-- insert data without special characters
insert into querytest1 (d) values ('#1(170):"type":"FACEBOOK","count":0,"lastEdition":1382627403299,"type":"GOOGLE","count":0,"lastEdition":1381825285002,"type":"EMAIL","count":2,"lastEdition":1381826322925] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11');
select regexp_replace(d, REGEXP_SUBSTR (REGEXP_SUBSTR(d, '[^ ]+', 1, 1), '[^:]+', 1, 2 ),'') from querytest1;
REGEXP_REPLACE(D,REGEXP_SUBSTR(REGEXP_SUBSTR(D,'[^]+',1,1),'[^:]+',1,2),'')
#1(170)::"FACEBOOK","count":0,"lastEdition":1382627403299,:"GOOGLE","count":0,"lastEdition":1381825285002,:"EMAIL","count":2,"lastEdition":1381826322925,:"EMAIL","count":2,"lastEdition":1381826322925] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11
so now it works because there are no special characters []{}
is there a way to escape them?
thank you in advance.

oraman wrote:
ok you're right I explain from the beginning.
create table t (q varchar2(4000), d varchar2(4000), result varchar2(4000));
insert into t (q,d) values ('#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11',
'UPDATE mytable set value=:1 , valuec=:2 , longvalue=:3 , doublevalue=:4 WHERE productattrnameid=:5 AND productid=:6   AND context=:7');
I would like to get the following:
select result from t;
UPDATE mytable set value='[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}]' , valuec=NULL , longvalue=-3141 , doublevalue=-3141 WHERE productattrnameid=21804 AND productid=3890750   AND context='s11';
the logic is to get the auditing data as ready to execute queries.
It looks you want to include every parameter where parameter is a pattern prefixed by #p1(lenght):param_value #p2(lenght):param_value etc.
Something like this?
set line 1000
col txt format a200
with querytest1 as
select '#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11' d
from dual
select 'UPDATE mytable set value='''|| nvl(trim(regexp_substr (d,'#\d+$\d+$:([^# ]+)', 1, 1, null, 1 )), 'NULL')||''''
       || chr(10) ||'     , valuec='||nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 2, null, 1 )), 'NULL')
       || chr(10) ||'     , longvalue='|| nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 3, null, 1 )),'NULL')
       || chr(10) ||'     , doublevalue='||nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 4, null, 1 )),'NULL')
       || chr(10) ||' WHERE productattrnameid='||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 5, null, 1 )
       || chr(10) ||'   AND productid='||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 6, null, 1 )
       || chr(10) ||'   AND context='''||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 7, null, 1 )||''';' txt
from querytest1;
Result:
TXT
UPDATE mytable set value='[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}]'
     , valuec=NULL
     , longvalue=-3141
     , doublevalue=-3141
WHERE productattrnameid=21804
   AND productid=3890750
   AND context='s11';
1 row selected.
I have a problem formatting the output in the forum but I hope you get it.
Regards.
Alberto

Urgent!!!!! escape special characters like -,& -

Hi
select prt_id from pr_prt where contains(prt_id,'04801\-')>0;
The above query returns foll
04801
04801-04051
I was expecting the result to be 04801-04051.
does any one hv any idea abt this?
This applies to all special characters if they are part of search string.
regards
priya
null

Interesting question...
The API says...
Quotation
\      Nothing, but quotes the following character
\Q      Nothing, but quotes all characters until \E
\E      Nothing, but ends quoting started by \QTry it... and please could you post your code when you're done... I might find it useful... and maybe I can even polish it a bit.... quid pro quo.
Cheers. Keith.

Escaping special characters

Environment:
Client: win2k sp4, 10.2 client
Server: 9.2 on solaris 9
Is there any way to set an escape character?
Many times we have '&' characters in strings in procedures, and when I try to compile them sqldeveloper prompts for a value thinking that it is a variable.
I've tried the default '\', and 'set escape on' doesn't work either.
Would be even better if there was an option in sqldeveloper to tell it to ignore the '&' character alltogether.
Thanks.

not really the answer I was looking for :(
the devs would end up driving me nuts wondering what all the CHR stuff is in their code.
i guess for now, i'll just keep using PLedit to compile all the procs that have any special chars.
...someday we'll have one tool that does everything ;)

Escaping special characters in SECURITY_PRINCIPAL

I am trying to connect to AD-LDAP with
env.put(Context.SECURITY_PRINCIPAL, "CN=cn /18,CN=Users,DC=company,DC=com");
As you can see I have a / character in my DN. I cannot get a context using this security_principal, I am always getting javax.naming.AuthenticationException. When my DN does not contain / or any special character everything works fine. I thought I had to maybe escape / so I tried
env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\/18,CN=Users,DC=company,DC=com");
env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\\\/18,CN=Users,DC=company,DC=com");
env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\\\\\/18,CN=Users,DC=company,DC=com");
without any success.
Thanks in advance,
Nikola

That did not seem to help. By the way, I was really looking for a more generic answer since for example I have the same problem when my SECURITY_PRINCIPAL DN includes /, \, or ' characters.

How to escape special characters in a region title

I have created a drill down report where the second report is filtered by a value chosen in the first report. I am using &Pn_field. syntax to pass the name of the select value to the region title of the second report. Some of the returned values have a ':' in them and therefore the text does not print after the ':'. How do I escape the ':' in the region title?
regards
Paul P

Paul,
I think your question is "How do I use f?p URL syntax to pass data values to a page where the data includes a colon?" (Please correct me if that's not the issue.) The answer is, you can't. Same with commas. HTML DB reserves those two characters for the f?p request syntax. You'll have to save the string into the item before the page branch. There is no restriction on what characters can be used in a region title, it's just HTML-formatted text, except that you must escape anything that looks like HTML unless you want the browser to treat it as HTML. There are restrictions, however, on what characters you can pass in URLs in general and you must take care to escape them properly, e.g., ?, &, whitespace.
And do speak up if I've missed the point.
Scott

Dynamic Images in PDF and Escaping Special Characters

I used the following to create my own PDFs with dymnamic images:
http://marcsewtz.blogspot.com/2012_02_01_archive.html (Dynamic Images in PDF - What 32k Limit? )
I have installed this application on Oracle's free workspace to test.
The issue I am having is that when there is a special character in the description, such as <>'"& then the the PDF will not open. I have tried using the dmbs_xmlgen.convert to convert the description but haven't had any luck.
I'm a complete novice with xml. Any help with this is greatly appreciated.
Thanks,
Glen

I have been able to find a solution, but it's not completely perfect. I have changed the "description" field as follows:
XMLCdata(replace(description,''&'',''and'')) description,
The characters greater than (>), less than (<), single qoute('), and double quote (") can now all be in the description and will not cause errors. For some reason, I couldn't get the & not to give an error no matter what I tried, so I just replaced the & with the word "and". This solution will work for my needs, but it would be nice to be able to get the & to display.
Does anyone know of a way to get the & to display correctly?
Thanks again,
Glen
The complete code I am using is below:
declare
l_print_layout clob;
l_xml_data clob;
begin
-- load print layout from database
for c1 in (
select layout from eba_pdfimg_layouts where id = :P1_LAYOUT
) loop
l_print_layout := wwv_flow_utilities.blob_to_clob(c1.layout );
end loop;
-- generate XML data
for c2 in (
select dbms_xmlgen.getxml('
select
id,
file_name,
mime_type,
XMLCdata(replace(description,''&'',''and'')) description,
-- description,
blob2clobase64(image,''Y'') image
from eba_pdfimg_images
') xml_data from dual
) loop
l_xml_data := c2.xml_data;
end loop;
-- download print document
wwv_flow.g_page_text_generated := true;
apex_util.download_print_document (
p_file_name => 'image_demo',
p_content_disposition => 'ATTACHMENT',
p_report_data => l_xml_data ,
p_report_layout => l_print_layout,
p_report_layout_type => 'rtf',
p_document_format => :P1_FORMAT
end;

Escaping special characters in hidden fields

I am using a hidden field to pass values to the servlet. I am populating the hidden field from a bean. The hidden field can have any string value. My problem is that the value attribute on my hidden field is double quoted and if there is a double quote in the value of the String from my bean it messes my HTML up. Is there an easy workaround for this?
e.g.
<jsp:useBean id="myObject" scope="request" class="MyObject"/>
<input type="hidden" name="myValue" value="<%=myObject.getValue()%>">
If myObject.getValue() returns a string: 60" Mower this will mess my HTML up.
Any suggestions?

First off, Is the Pattern and Matcher specific to JDK 1.4.1? We are currently using 1.2.2? If this is a viable solution, is there a similar one in JDK 1.2.2?
Also, I still don't think it's possible in HTML to escape characters that are values of attributes. Try running the following HTML code:
<html>
<head>
   <script language="JavaScript">
   function getHiddenValue(){
      alert(document.myForm.hiddenDescription.value);
   </script>
</head>
<body>
   <form name="myForm">
   <p>
      <input type="hidden" name="hiddenDescription" value="60\" Mower">
   </p>
   <p>
      <input type="button" onclick="getHiddenValue()" value="Hidden Field">
   </p>
   </form>
</body>
</html>

Strategies for escaping special characters.

Similar Messages

Maybe you are looking for