Hello guys please help me on sanitization the emojionearea content to prevent SQL injection.
I have tried using $("#id").data("emojioneArea").getText(); as to get the content on the input without it rendering the HTML tags but it still interprets the html tags such as:
<script>alert("Hi, I am interpreted")</script>
My code looks like this:
HTML
<input type="text" id="text_t">
JQuery
var textContent = $("#text_t").data("emojioneArea").getText();
I want to prevent SQL Injection here that no html tags is rendered. But the about getText() function still gets the content that renders the html tags
You can encode the < and > tags on the client side with a simple regex if you're to prevent users to input html tags.
html = html.replace(/</g, "<").replace(/>/g, ">");
Related
I want to encode the html tags as a string except some tags like anchor tag using javascript
something similar to php's function "htmlspecialchar"
Note: I never wants to stripe the html tags.
Suppose my html string is like
<div><span>test string</span>div content goes here <a herf="xyz.com">My Portal</a></div>
Expected output should be
<div><span>test string</span>div content goes here My Portal </div>
Here "My portal should" turns to hyperlink instead of getting encoded. but rest all other tags are get encoded and should be displayed on view as string
I need to send HTML string inside XML to a POST REST service.
Currently I am using string concatenation to create XML's and HTML's like the following,
var html = " <div style='some style'>... append model data from the response of some services ... </div> ";
html += " <div> ... append model data from the response of some services ...</div> ";
var xml = "<?xml version='1.0' encoding='utf-8'?>";
xml += "<root><data>";
xml += "<![CDATA["+ html +"]]>";
xml += "</data></root>";
return $http.post(url,xml,{headers : {'Content-Type': 'application/atom+xml'}});
It looks really ugly as the real html content is huge. Which is the cleanest way to achieve this except string concatenation?
You can do following:
Put your html code in body tag under any specific tag like div with some id or class (I have used id)
example:
The content of the document......
... append model data from the response of some services ...
... append model data from the response of some services ...
Now in javascript you can do like below:
var html = document.getElementById("parent_div").innerHTML;
alert(html);
using above code you can use your html without writing it in JS code.
Also, you can hide this if you don't want to show it on your page.
I am reading some rich-content text from server and trying to display it in a grid in plain-text format. That's where i got this problem. I am not able to get rid of html styling tags. I dont want to write some dirty JS/Jquery code to remove HTML styling tags as it is not possible to handle all of the tags. So I thought to do a trick and created a hidden textarea on HTML page:
<textarea name="textarea" id="temp_desc" rows="10" cols="50" style="visibility: hidden"></textarea>
In JS, when I read data from server, I write it in this textarea and then read it back so that all html tags should strip down but It is not working. The html tags themselves get written in this textarea:
document.getElementById("temp_desc").value = Description;
Description = document.getElementById("temp_desc").value;
Any other suggestions how can i make this work?
Thanks.
I solved this problem by using DIV instead of textarea and JQuery method .text().
HTML:
<div id="temp_desc" style="visibility: hidden"></div>
JS:
$("#temp_desc").html(Description);
var descHiddenDIV = document.getElementById("temp_desc");
var temp_description = $(descHiddenDIV).text();
After executing above JS code, temp_description contains plain-text.
I came across this post on SO, and I basically copied the code (html, css and jquery) to my web page. Everything works except that I don't know how to get the tags when my html form is submitted.
From my understanding of the javascript code, the tags are stored in tags, they are not stored in fields, so my question is how to capture those tags when the form where it's embedded is submitted?
Thanks
You can iterate a jquery object and get the child's content in this way:
var tags = '';
$('#tags > span').each(function() {
tags = tags + $(this).html() + ',';
});
$('#inputInForm').val(tags);
Just add a hidden input field to each of your tags like this when you create them:
<span class="tag">
tag-name
<input type="hidden" name="tags[]" value="tag-name">
</span>
This way you will automatically get the tags array when you post the form (obviously those tags should be within your form).
Not sure if this is an actual problem per se but I'm using Epic Editor to input and save markdown in my GAE application (webpy with mako as the templating engine).
I've got a hidden input element in the form which gets populated by the EpicEditor's content when I submit the form but all the white spaces are replaced by . Is this an intended feature? If I check the same code on the EpicEditor site, it clearly returns spaces instead of so what's different about mine?
<form>
<!-- form elements -->
<input id="content" name="content" type="hidden" value></input>
<div id="epiceditor"></div>
<button type="submit" name="submit" id="submit">submit</button>
</form>
<script type="text/javascript">
$('button#submit').click(function(){
var content = editor.getElement('editor').body.innerHTML; //all the spaces are returned as and breaks are <br>
$('input#content').html(content);
});
</script>
NOTE: I want to save my content as markdown in a TextProperty field my data store and generate the html tags when I retrieve it using marked.js
I'm the creator of EpicEditor. You shouldn't be getting the innerHTML. EpicEditor does nothing to the innerHTML as you write. The text and code you are seeing will be different between all the browsers and it's how contenteditable fields work. For example, some browsers insert UTF-8 characters for spaces some  .
EpicEditor gives you methods to normalize the text tho. You shouldn't ever be trying to parse the text manually.
$('button#submit').click(function(){
var content = editor.exportFile();
$('input#content').html(content);
});
More details on exportFile: http://epiceditor.com/#exportfilefilenametype
P.S. You don't need to do input#content. Thats the same as just #content :)
You can do this if you dont find out why:
<script type="text/javascript">
$('button#submit').click(function(){
var content = editor.getElement('editor').body.innerHTML;
content = content.replace(" ", " ");
$('input#content').html(content);
});
</script>
[EDIT: solved]
I shouldn't be using innerHTML, but innerText instead.
I figured out that Epic Editor uses on all spaces proceeding the first one. This is a feature, presumably.
However that wasn't the problem. ALL the spaces were being converted to , eventually, I realised it occurs when Epic Editor loads the autosaved content from localStorage.
I'm now loading content from my backend every time instead of autosaving. Not optimal, but solves it.