I am taking inputs from user, then adding links for mentioned users and then passing the same in the template
Input: hello #ds
String after adding links -
"#<a class="tweet-url username" href="/user/ds" data-screen-name="ds" rel="nofollow">ds</a>"
Passing the above string in .Msg (using golang template) :
<div class="panel-body" >
<p > {{.Msg}} </p>
</div>
Expected outcome is: Hello #ds (with clickable link on #ds)
However getting everything in text format (same as input).
#<a class="tweet-url username" href="/user/ds" data-screen-name="ds" rel="nofollow">ds</a>
What am I missing?
Got a better solution. First of all I am doing htmlEscape on the input then store it in db, then while presenting adding links followed by using document.write(string) function. With this I dont have to change the template and I dont have to worry about XSS attach. Also I am also avoiding XSS scripts in my database. –
Try wrapping your string (Msg) in template.HTML to disable the escaping that html/template does.
Example from the docs:
The template
Hello, {{.}}!
can be invoked with
tmpl.Execute(out, template.HTML(`<b>World</b>`))
to produce
Hello, <b>World</b>!
instead of the
Hello, <b>World<b>!
that would have been produced if {{.}}
was a regular string.
Note that you should do this with great care... make sure that you trust the string you're wrapping in template.HTML. This is an easy way to open yourself up to XSS attacks.
Related
I have to print out an input tag and a label without any space between the end of one tag and the start of the next... but I also want to pretty-print the rest of the document.
By default — with pretty printing turned on in Jade — I get the following:
<input ...></input>
<label ...></label>
I want:
<input ...><label ...></label>
or
<input ...></input><label ...></label>
The idea from Jade - Controlling line-breaks in the HTML output doesn't work because input is a self-closing tag.
Update 1: I have created the obvious solution using a mixin and literal HTML, but I would like to avoid that if possible.
In Razor, I addressed this by wrapping the whitespace with a multi-line comment:
<div>
<span>No trailing</span><!--
--><span>space</span>
</div>
I'm creating a plug and play chat module which loads (via ajax) a chatbox html as string. This html string has some elements which are hidden(display:none) and are to be used repetitively. eg:
<div class="chatboxmain">
<div class="incomingmsg" style="display:none;">
<div>
<span class="msgtext"></span>
<span class="msgtime"></span>
</div>
</div>
<div class="outgoingmsg" style="display:none;">
<div>
<span class="msgtext"></span>
<span class="msgtime"></span>
</div>
</div></div>
<!-- .....So on 5 types of messages contact,video,image -->
<div class="incomingcontactmsg"></div>
<div class="outgoingcontactmsg"></div>
</div>
Since I can have multiple chatboxes, I load the template only once and save it in a javascript string object.
template.chatbox=chatboxstring;
I have to extract the message templates from within the chatbox template and save them in memory so that I don't query my dom again and again.
template.incomingmsg="";
template.outgoingmsg="";
To achieve the above I do the following:
var a=createElement("div");
a.innerHTML=template.chatbox;
template.incomingmsg=a.querySelector('.incomingmsg').innerHTML;
template.outgoingmsg=a.querySelector('.outgoingmsg').innerHTML;
Question 1: Is the above the only way to go about it?
Question 2: I'm saving strings for incoming and outgoing message and wrapping them in a div everytime a message comes.
Which is better?
a.Keeping a DOM Node saved in a javascript object for it's life time, or
b.keeping a string(for innerhtml) and parsing it again and again everytime a message is received and sent. I raise the question because NODE object in memory eats more memory than a string object vs on appending string as InnerHtml I'll be repeatedly parsing the same string again.
1)
For handling XML(HTML) in js maybe i wouldn't use pure html dom access and would use some framework for example jQuery (there is more frameworks with diferent performance):
https://api.jquery.com/jQuery.parseXML/
It is more readeble then using html DOM and innerHTML. And remember that readibility is rly important. if you look at your own code after few months you wont know what is going on.
2) It is good to realize that on client side (browser) you are handling only one client. So Even when there are 20 000 users using your application it is not such a big problem if you are using one or antoher way on CLIENT side. Your performance focus should be on server side.
I would use sollution where i use a little bit more memory and dont have to parse everytime(a).
Is there away to convert all HTML tags from uppercase to lowercase? I am using Filemaker pro 12 to input some data into a MYSQL database which then is displayed on a PHP page on my web server. The trouble is Filemaker inserts tags for formatting in uppercase rather than lowercase. I'd like it to be displayed as below please:
Before:
<SPAN STYLE="color:#fff">My Text</SPAN> <BR/>
After:
<span style="color:#fff">My Text</span> <br/>
I'd also like to say seeing as I have got given a negative that I have tried some examples on here and none seem to have worked for me :(
I am also hosting on a Windows server if that helps at all
I used pft221's suggestion and worked great!
If the text is in FileMaker, you could use FileMaker's Lower()
function to make it lower case. You'd have to write or find a custom
function to Lower only the HTML tags, though.
filemaker.com/help/html/func_ref3.33.68.html#1031014 – pft221
I use CKEditor in my AngularJS Application. When I try to display the text that I saved from the TextEditor, it doesn't take the style. For Example if I want to display a sentence it appears as:
<p>How old are you</p>
instead of :
How old are you
I tried using ng-bind:
<div ng-bind="Item.Header"></div>
and the regular binding method:
<h3>{{Item.Header}}</h3>
But both methods didn't work. Is there a solution for this issue?
You should use "ngBindHtmlUnsafe". Since this command doesn't sanitize the expression, but you should only use it if you trust the source.
So the html will be written as follows:
<div ng-bind-html-unsafe="Item.Header"></div>
Not sure if this is an actual problem per se but I'm using Epic Editor to input and save markdown in my GAE application (webpy with mako as the templating engine).
I've got a hidden input element in the form which gets populated by the EpicEditor's content when I submit the form but all the white spaces are replaced by . Is this an intended feature? If I check the same code on the EpicEditor site, it clearly returns spaces instead of so what's different about mine?
<form>
<!-- form elements -->
<input id="content" name="content" type="hidden" value></input>
<div id="epiceditor"></div>
<button type="submit" name="submit" id="submit">submit</button>
</form>
<script type="text/javascript">
$('button#submit').click(function(){
var content = editor.getElement('editor').body.innerHTML; //all the spaces are returned as and breaks are <br>
$('input#content').html(content);
});
</script>
NOTE: I want to save my content as markdown in a TextProperty field my data store and generate the html tags when I retrieve it using marked.js
I'm the creator of EpicEditor. You shouldn't be getting the innerHTML. EpicEditor does nothing to the innerHTML as you write. The text and code you are seeing will be different between all the browsers and it's how contenteditable fields work. For example, some browsers insert UTF-8 characters for spaces some  .
EpicEditor gives you methods to normalize the text tho. You shouldn't ever be trying to parse the text manually.
$('button#submit').click(function(){
var content = editor.exportFile();
$('input#content').html(content);
});
More details on exportFile: http://epiceditor.com/#exportfilefilenametype
P.S. You don't need to do input#content. Thats the same as just #content :)
You can do this if you dont find out why:
<script type="text/javascript">
$('button#submit').click(function(){
var content = editor.getElement('editor').body.innerHTML;
content = content.replace(" ", " ");
$('input#content').html(content);
});
</script>
[EDIT: solved]
I shouldn't be using innerHTML, but innerText instead.
I figured out that Epic Editor uses on all spaces proceeding the first one. This is a feature, presumably.
However that wasn't the problem. ALL the spaces were being converted to , eventually, I realised it occurs when Epic Editor loads the autosaved content from localStorage.
I'm now loading content from my backend every time instead of autosaving. Not optimal, but solves it.