String is saved wierdly in html hidden input

I have a String like follows which is coming from server side

  String productIDs = "[{"productID":"226167","productName":"It is my life (Bingo)"},{"productID":"3193","productName":"It is your name (jingo)"},{"productID":"273838","productName":"It's the same milk/Butter i drink/ate yesterday"}]"

Now I am saving it in a hidden input field this string

<input type="hidden" class="hiddenInput" value="<%=productIDs %>"  />

But when i checked it through firebug it is saved very wierdly as follows

<input type="hidden" class="hiddenInput" yesterday"}]"="" is ="" my ="" Butter ="" life ="" (Bingo)"},{"productid":"273838","productname":"It ="" crmo="" (paar)"},{"productid":"3193","productname":"It ="" milk=""开发者_运维问答 same ="" flip-off="" productid":"226167","productname":"It ="" value="[{" />

Anybody has got any idea why this is happening?

Problem is with the way you're saving the string, you have to switch the type of quotes you use otherwise js doesn't know where the string ends and starts.

In your question it would look like this:

String productIDs = "[{'productID':'226167','productName':'It is my life (Bingo)'},{'productID':'3193','productName':'It is your name (jingo)'},{'productID':'273838','productName':'It's the same milk/Butter i drink/ate yesterday'}]"

You can also use \" instead of ' but that, to me, is alot more confusing.

Edit

You can do this using the following code:

strUWantToChange.replace('"',"'");

If you have quotes in your String, you need to escape them before pasting it into HTML.

As already said by other answers, quotes must be escaped. These are not the only characters that should be escaped. <, >, ' and & should systematically be escaped in HTML. The risks are

• invalid HTML
• broken page
• XSS attacks and security vulnerabilities

Whenever you must display data for which you're not absolutely sure that it doesn't contain any of such characters (for example : data coming, directly or indirectly, from the user, free textual data in general), escape this data.

This is done, in JSP by two simple constructs:

• the JSTL <c:out> tag:
• the JSTL fn:escapeXml EL function: ${fn:escapeXml(productIDs)}

Scriptlets should not be used for years in JSP. Use the JSTL, other custom tags, and the EL.

Try this:

String productIDs = "[{\"productID\":\"226167\",\"productName\":\"It is my life (Bingo)\"},{\"productID\":\"3193\",\"productName\":\"It is your name (jingo)\"},{\"productID\":\"273838\",\"productName\":\"It's the same milk/Butter i drink/ate yesterday\"}]";