Possible Duplicate:
How to escape HTML
How can a string be converted to HTML in JavaScript?
e.g.
var unsafestring = "<oohlook&atme>";
var safestring = magic(unsafestring);
where safestring
now equals "<ohhlook&atme>"
I am looking for magic(...)
.
I am not using JQuery for magic
.
This question is related to
javascript
html
Do not bother with encoding. Use a text node instead. Data in text node is guaranteed to be treated as text.
document.body.appendChild(document.createTextNode("Your&funky<text>here"))
You need to escape <
and &
. Escaping >
too doesn't hurt:
function magic(input) {
input = input.replace(/&/g, '&');
input = input.replace(/</g, '<');
input = input.replace(/>/g, '>');
return input;
}
Or you let the DOM engine do the dirty work for you (using jQuery because I'm lazy):
function magic(input) {
return $('<span>').text(input).html();
}
What this does is creating a dummy element, assigning your string as its textContent (i.e. no HTML-specific characters have side effects since it's just text) and then you retrieve the HTML content of that element - which is the text but with special characters converted to HTML entities in cases where it's necessary.
The most commonly used way is using jQuery for this purpose:
var safestring = $('<div>').text(unsafestring).html();
If you want to to encode all the HTML entities you will have to use a library or write it yourself.
You can use a more compact library than jQuery, like HTML Encoder and Decode
The only character that needs escaping is <
. (>
is meaningless outside of a tag).
Therefore, your "magic" code is:
safestring = unsafestring.replace(/</g,'<');
Source: Stackoverflow.com