Insert text into a textarea using javascript without javascript parsing the text

'<textarea name="textChange" class="signatureChangeText" cols="100" rows="4">'
+ SOME VARIABLE FULL OF TEXT
+ '</textarea>'

The preceding is just part of a simple string that I am using with a change to an innerHTML attribute of a div inside of a javascript function. That "SOME VARIABLE FULL OF TEXT" is the problem, if that variable contains a string that contains javascript parseable data (data to interpret) such as addition symbols or quotations, etc - the script breaks. How do I avoid this? By the way, the variable is dynamic to each user, it is filled by a php echo statement and so inserted on the backend into the ja开发者_StackOverflow中文版vascript. I've thought of how to accomplish this in another way but none are coming the mind. The data is from a database, I pull it with PHP and I need to insert it into this textarea that is dynamically created and inserted into the page based on a user command via innerHTML. Thanks for any help.

Edit: requested context function:

else if (theChange == 'signature') {
        document.getElementById('userPanelChangeBox').innerHTML = 
        '<form action="tinUser_processor.php" method="post">'
        +'Signatures cannot contain any markup (HTML, BBCode, etc) or styling and can only be 4 lines<br />'
        +'Enter your new signature:<br /><br />'
        +'<textarea name="textChange" class="signatureChangeText" cols="100" rows="4">'
        +'<?php echo $userInfo['signature']; ?>'+'</textarea><br /><br />'
        +'<input type="hidden" value="signature" name="typeChange" />'
        +'<input type="submit" value="Submit Change" name="submitter" /></form>';
        }

Seems like you would need to escape HTML and single quotes. You can use PHP's built-in htmlentities function to do this, like so:

<?php echo htmlentities($userInfo['signature'], ENT_QUOTES); ?>

You need to convert any special characters to HTML entities at the server, by the time it's at the client it's too late. e.g.:

"foo <= bar"

becomes

“foo ≤ bar”

and then when inserted in the string becomes:

"“foo ≤ bar”"

rather than

""foo <= bar""

which clearly will mess with the script at the client. You could also use unicode escape sequences.

If you need it done on the client for other reasons, this works (tested):

<textarea id=text></textarea>
<script type="text/javascript">
var signature = "<div>Not actually a div.</div>";
document.getElementById('text').value=signature;

So, something like this will work (untested):

else if (theChange == 'signature') {
    document.getElementById('userPanelChangeBox').innerHTML = 
    '<form action="tinUser_processor.php" method="post">'
    +'Signatures cannot contain any markup (HTML, BBCode, etc) or styling and can only be 4 lines<br />'
    +'Enter your new signature:<br /><br />'
    +'<textarea name="textChange" class="signatureChangeText" cols="100" rows="4">'
    +'</textarea><br /><br />'
    +'<input type="hidden" value="signature" name="typeChange" />'
    +'<input type="submit" value="Submit Change" name="submitter" /></form>';
    document.getElementById('userPanelChangeBox').textChange.value='<?php echo $userInfo['signature']; ?>';
    }