<a href="#" onClick="doFunction('<?php echo $myVar; ?>')">
Imagine all the possibilities: what if
$myVar contains a single quote
character? A double quote? A double quote, followed by some HTML tags?
Well, here's a sure-fire PHP function to encode any ASCII string:
So, let's use this function in our link:
Let's say we have the assignment
$myVar = "&?1xc'\"". The user-agent
ends up with this link:
<a href="#" onClick="doFunction('\x26\x3f\x31\x78\x63\x27\x22')">
The string is ultra-sanitized, and your function gets the string you intended. You may wish to write another function that only escapes target characters, possibly single quote, double quote, and ampersand. I'll go with overkill for now.