Solving Bug With Single Quotes In Names Of Friends

My JavaScript application uses Facebook Connect to display the profile pictures of a user's friends. This worked fine until a recent update on Facebook's end created a bug in Safar

Solution 1:

Related to the answer by F3, but rather than attempting to encode the entire result (see the following link for differences: http://xkr.us/articles/javascript/encode-compare/) can you not just encode (or remove) the single quotes?

result[i].replace(/'/g,"%27")

Alternately, this regex pattern should match all instances of the ' character

"/'[^']*+'/"

Like Robert, if you could provide an example of what is returned it would help a bunch.

Solution 2:

I'm wondering if

...
 markup +=
   '<fb:profile-picsize="square"uid="'
         + escape(result[i])
         + '"facebook-logo="true">'
         + ' </fb:profile-pic>';
...

would work?

Solution 3:

Do you have an updated URL for the API call? The one listed in the question appears to reference the FB JavaScript API, but I didn't see any analogous friends_get function.

What exactly does result[i] contain after calling that JS function? The markup code you list suggests that result[i] only appears in the element. Where does the tag in your resultant HTML get generated from (which has the title and alt attributes of interest)?

markup += '<fb:profile-picsize="square"uid="'
    + result[i]
    + '"facebook-logo="true">'
    + ' </fb:profile-pic>';

Solution 4:

Try something like

markup +=
   '<fb:profile-pic size="square" uid="' +
       result[i].replace(/'/g, "&apos;").
           replace(/"/g, "&quot;").
           replace(/\</g, "&lt;").
           replace(/\>/g, "&gt;") +
       '" facebook-logo="true">' +
       '</fb:profile-pic>';

After all, if it's XML, it might as well be valid XML, right? :-)