Stripping out < and > in javascript doesn't quite work

Question

    function SanitizeInput(input) {



        input = input.replace(/</g, "&lt;");
        input = input.replace(/>/g, "&gt;");


        return input;
    }

document.write(SanitizeInput("Test!<marquee>bibble</marquee>"));

If you pop this into jsfiddle.net the result is Test!<marquee>bibble</marquee without the trailing >

Can anyone explain what I'm doing wrong?

Edit: Replacing it with ( and ) seems to work perfectly

Answer 1

您的布局/文档中还必须有其他内容来影响这一点，您的代码本身可以正常工作， 您可以在此处进行测试 。

Answer 2

You're not doing anything wrong. The function you use does replace all your < with < and > with > . Just that document.write adds the sanitized text to the HTML document and the entities get converted back to < and > .

Just try alert instead of document.write .

If you really want to have < visible in your page you should "double-sanitize" the text.

input = input.replace(/</g, "&amp;lt;");

On a side note you could chain replace calls, like this:

input = input.replace(/</g, "&lt;").replace(/>/g, "&gt;");

Hope you find this useful,
Alin

Answer 3

如果您要清理输入内容，请尝试类似以下操作-http://xkr.us/articles/javascript/encode-compare/