String parameters in a javascript function -

im having function:

<script> function params(a,b,c,d) { // alert (c);  var question = document.getelementbyid("question"); question.value = c; var answer = document.getelementbyid("answer"); answer.value = d; var catid = document.getelementbyid("catid"); catid.value = a; var qid = document.getelementbyid("qid"); qid.value = b; }  <button class="modalinput" rel="#prompt" onclick="params(29,29,'in fox tv show, did &#039;the oc&#039; stand for','orange county');"><img src=/images/exclamationmark1.png title="is there error in question, report here." ></button>   <button class="modalinput" rel="#prompt" onclick="params(29,16,'which reality show named after george orwell character','big brother');"><img src=/images/exclamationmark1.png title="is there error in question, report here." ></button> 

first button doesnt work, because of #&039; - second 1 does... first 1 did come using htmlspecialchars() on string... thought trick?

you can see page on here:

http://www.quizboard-cheat.com/component/com_rquote/itemid,176/catid,29/number_items,999/quotation_marks,0/show_author,1/show_createdate,0/show_notes,0/show_quote,1/sort_column,0/sort_order,0/view,rquotes/

it's not html needs escaped there. html character escape sequence ' yield single apostrophe, javascript code

params(29,29,'in fox tv show, did 'the oc' stand for','orange county'); 

obviously syntax error. need escape string delimiters backslash:

<button … onclick="params(29,29,'in … did \'the oc\' stand for',…);"> 

or need use quotes string delimiters - indeed need html-escaped, since used html attribute delimiters:

<button … onclick="params(29,29,&#034;in … did 'the oc' stand for&#034;,…);"> 

---

of course, @kirill ivlev right. shouldn't have used inline event handler attributes in first place, unobtrusive javascript. if attach listeners scripts code, won't have encoding problems.