stackoom
  简体   繁体   中英

How to insert html as text using .html() in javascript?

 原文  2015-03-10 21:30:58       javascript/ jquery/ html

Question

In my javascript app, I insert a user message using the code: 

var displayMessages = function(response, onBottom) {
    var user = GLOBAL_DATA.user;

    var acc = '';
    for(var i=0; i<response.length; i+=1) {
        var obj = response[i];

        var acc_temp = "";
        acc_temp += '<div class="message ' + (obj['user_id']==user['id'] ? 'message-right' : 'message-left') + '">';
        acc_temp += '<div>' + Autolinker.link($(obj['message']).text()) + '</div>';
        if (obj['user_id']!=user['id']) {
            acc_temp += '<div class="message-details">' + obj['first_name'] + ' ' + obj['last_name'] + '</div>';
        }
        acc_temp += '<div class="message-details">' + obj['date_sent'] + '</div>';
        acc_temp += '</div>';

        acc = acc_temp + acc;
    }

    addMessage(acc, onBottom);
};

The problem is that, if obj['message'] = "<script>alert(1);</script>"; then what gets printed on the screen is "alert(1);" because I use .text() . How can I insert the string with the script tags, so that it looks exactly like that on the page? I don't want it to get executed.

Thanks

3 answers

solution1
 1 ACCPTED  2015-03-10 21:41:55

I use these helper functions. 

function htmlEncode(value){
  return $('<div/>').text(value).html();
}
function htmlDecode(value){
  return $('<div/>').html(value).text();
}

I would escape the other variables as well if you are not sure that they will not have any executable code.

solution2
 0  2015-03-10 21:40:32

I solved it using this: 

function escapeHTML(str) {
    return $("<p></p>").text(str).html();
}

solution3
 0  2015-03-10 21:46:42

I think you'll need to wrap your object in a dummy tag, then you can retrieve the full html from that.

You'll have issues though, because you're using a script tag, which will be evaluated. 

obj['message'] = "<script>alert(1);</script>";
>
$(obj['message']).text();
> "alert(1);"
$(obj['message']).html();
> "alert(1);"
$(obj['message']).wrapAll('<div>').text();
// alerts with 1
> "alert(1);"

Not using a script tag will work. 

obj['message'] = "<span>alert(1);</span>";
>
$(obj['message']).wrapAll('<div>').text();
> "<span>alert(1);</span>"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to insert brackets as text into HTML using Javascript insert text in html tag using javascript Insert HTML into text node with JavaScript How to insert HTML as Text how to include/insert HTML file using Javascript How to insert html to document using javascript How to insert a .html into same page using html and javascript? Using JQuery/Javascript to insert text into specific cells of a html div table? Insert a html link next to form text field using javascript insert html into div using javascript
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM