Comments (6)
The punchline to all this, which might interest you: you were right to be turned off by the <textarea>
hack. It turns out that in jQuery 1.8 and below, the code given in http://stackoverflow.com/a/1395954/1709587 is XSS-vulnerable, because .html()
in those versions of jQuery would explicitly and deliberately run scripts in the given HTML string. A commenter gives the example of $("<textarea/>").html('<script>alert("lol")</script>').text()
, which will show an alert on jQuery 1.7.
I am glad to have offered up your library as an alternative answer, but sad to have polished up the insecure <textarea>
answer and edited in reassurances about it being secure. :( Fixing now.
from he.
Good question!
The main goal of he is to encode non-ASCII symbols into HTML entities, and to be able to decode these in all their forms, i.e. he.encode()
and he.decode()
.
The encoding part is probably most useful as part of a build script, or as part of a Node.js application that outputs that data as part of a response. The decoding part is the hardest (and probably the main reason why one would use he
), as there are so many different ways to encode each character, and there are a lot of weird exceptions and edge cases. If you want to decode HTML entities according to the spec, in any environment, then you definitely need he.
On the client side, at run-time, escaping non-ASCII symbols (like he.encode()
does) before setting it as .innerHTML
wonโt really make a difference โ only escaping the unsafe characters would matter in that case.
If your only goal is to escape HTML like the he.escape()
helper method does, then he is probably overkill.
While the <textarea>
hack works, it feels very hacky to me, and it wonโt work in non-browser environments (like you mentioned). Even in browser environments it might give results that are in violation of the spec. Yep, some browsers have buggy implementations of named character references โ try http://mathias.html5.org/tests/html/named-character-references/ in IE, for example. Try older browser versions too.
Just .replace()
ing the characters as needed (like he.escape()
or _.escape()
do) seems much simpler, less hacky, ensures the output is predictable/deterministic, and itโs probably faster, too.
from he.
Thanks for the reply - I think it resolves my question fully. BTW, I went ahead and posted an answer on SO about your library. Naturally, feel free to tweak it if you reckon I've missed anything important or said anything dumb. :)
from he.
๐
from he.
Good update to the question. ๐
Very nice and thoughtful reply too. Indeed jQuery 1.8 and below runs scripts in HTML strings, and this is deliberate. It's useful in some situationsโI remember once making a Tumblr theme with infinite scrolling that needed to execute <script>
tags to enable dynamic content, because of how limited Tumblr's theming interface is. It allows only entire pieces of HTML to be inserted into the page (that is, if you want non-JS compatibility).
from he.
Nice discussion
from he.
Related Issues (20)
- Minified version? HOT 10
- Error when minimizing with Google closure-compiler HOT 1
- Non-English support? HOT 1
- Unescape from HTML and escape to JSON HOT 19
- useNamedReferences doesn't work for all characters
- ASCII character 128 not being encoded by he HOT 1
- Let's set up a modern Rollup-based build system HOT 4
- Section 12.2.4.69 of the HTML spec, referenced in README.md, does not exist HOT 1
- Allow to ignore specific elements in the string, like code HOT 3
- Chrome: Uncaught SyntaxError: Unexpected token '<' in he.js:32 HOT 2
- Cannot set property 'he' of undefined
- Memory leak
- Feature request: Add optional support for ISO-8859-1 characters
- What is the correct source for the lib?
- npm audit: 26 vulnerabilities HOT 3
- Git.io deprecation notice
- A new feature suggestion: add an escape option to decode function HOT 1
- As is, code produces an JS error HOT 1
- Not sure why it's not decoding a particular paragraph
- Certain named entities don't decode (& and <) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from he.