ASP.NET single quotes are converted to '

Question

Note: Most probably this will be a double question, but since I haven't found a clear answer, I'm asking it anyway.

In ASP.NET I'd like to add some JavaScript to the onclick event of a CheckBox. I've simplified the case to this:

<asp:CheckBox ID="TestCheckBox" runat="server" onclick="alert('test');" Text="Test" />

The resulting HTML is as follows:

<input id="MainContainer_TestCheckBox" type="checkbox" name="ctl00$MainContainer$TestCheckBox" onclick="alert(&#39;test&#39;);" /><label for="MainContainer_TestCheckBox">Test</label> 

What particularly bothers me is that a single quote 'automatically' gets converted into '''. If I omit the onclick in the markup and assign it in Page_Load, the exact same results show in the HTML.

protected void Page_Load(object sender, EventArgs e)
{
    this.TestCheckBox.Attributes["onclick"] = "alert('test');";
}

Anyone got a clue about what's happening? Or how to fix/ avoid it?

Answer 1

We had the same issue with single quotes in attribute values when we migrated a project from .NET 3.5 to .NET 4.0. It converts all single quotes in attribute values to &39;. So we went back to .NET 3.5.

It's a .NET 4.0 thing. You can read more about this issue here.

Answer 2

In case someone else finds this question, this is the way I was able to inject attributes from a custom control without having the values html encoded. This is an example of a button that calls out to an async function to confirm an button press action.

The key is to use the writer.AddAttribute() which has the flag to disable the HTMLEncode step. This also seems to be dependent on which version of asp.net you are using. this works in .net 4.6.1

 public class ConfirmationLinkButton : LinkButton
{
    protected override void AddAttributesToRender(HtmlTextWriter writer)
    {
        base.AddAttributesToRender(writer);
        string script = "confirmAsync('" + ConfirmationMessage.Replace("'", "\\'") + "', " + Callback() + ");" +
                        "return false;";
        writer.AddAttribute(HtmlTextWriterAttribute.Onclick, script, false);
    }

    private string Callback()
    {
        return "(data) => { if (data===true) {" + Page.ClientScript.GetPostBackEventReference(this, "") + "}}";
    }

    public string ConfirmationMessage { get; set; }
}

Answer 3

First of all the asp check box control doesn't take onclick as a valid attribute.

So you can do two things:

1- If you don't need the value server-side, you can just put a normal check box instead of the asp check box.

2- If you need the value server side, add the runat="server" attribute and place and ID on your check box so you can reference it in your code.

<input type="checkbox" id="chk1" onclick="alert('hello');" runat="server" />