April 11th, 2018, 11:35 AM
-
Is Jquery's .text() safe?
When it comes to htmlspechialchar html_escape etc etc..
Would it be safe to allow users to change the text like this?
Code:
$( function()
{
$( "#plc_sub_headline" ).keyup(function() {
$("#plc_preview").contents().find("#pre_headline_title").text($( "#plc_sub_headline" ).val());
});
April 11th, 2018, 11:40 AM
-
According to the docs,
We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML.
April 11th, 2018, 12:50 PM
-
Hi I read
We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML.
It doesn't' make sense to me probably because my English isn't that good.
From what I see it doesn't seem to execute javascript! maybe because it's in an Iframe.
Which is weird because it looks like script tags
April 11th, 2018, 01:16 PM
-
The most important part is the "does not interpret the string as HTML" at the end.
-
Originally Posted by requinix
The most important part is the "does not interpret the string as HTML" at the end.
And that means?
-
-
Love me like u do love love me love me like u do in other words, would it be safe to do this:
Code:
$( function()
{
$( "#plc_sub_headline" ).keyup(function() {
$("#plc_preview").text($( "#plc_sub_headline" ).val());
})
======> This is the playground <======
-
Yes, though it would be slightly more efficient to
javascript Code:
$(function() {
var preview = $("#plc_preview");
$("#plc_sub_headline").keyup(function() {
preview.text(this.value);
});
});
Remember that every time you use $ jQuery has to evaluate the selector and find the element on the page. If the element isn't changing then don't make it do that every time.
-
Thank you
-
Is this secure?
Code:
function show_hide(item)
{
if($("#"+item+"_show").val()==0)
{
$("#"+item+"_hide_show_button").attr("class","fas fa-eye");
$("#"+item+"_show").val(1);
$("#"+item+"_row").removeClass("hide-me");
}
else
{
$("#"+item+"_hide_show_button").attr("class","fas fa-eye-slash");
$("#"+item+"_show").val(0);
$("#"+item+"_row").addClass("hide-me");
}
}
function update_text(sender, receiver)
{
$("#"+receiver).text($("#"+sender).val());
}
function bg_color_change(row, color)
{
$("#"+row).css("background-color", "#"+color);
}
function color_change(row, color)
{
$("#"+row).css("color", "#"+color);
}
Also I got an issue with nl2br
I want to replace the text on the page with the user's input in a textarea.
Code:
<textarea class="form-control page-text" rows="10" id = "page-text-textarea"><?php echo html_escape($page_text);?></textarea>
<button type="button" class="btn btn-info" onclick="update_page_text(); close_modal('page-text-modal');">Proceed</button>
The use is nort allowed to use any html elements. So I thought I just use .text:
$("#page-text").text($("#page-text-textarea").val());
The issue with this is that line breaks get lost. So I thought I use:
$("#page-text").html(textAreaContent);
The issue with this one is if the user adds < script > tags, they can run Javascript on the page and I don't want that.
How can I add user's line breaks only? Basically, apply something like this:
textAreaContent=$("#page-text-textarea").val().replace(/\n/g,"<br>");
Last edited by English Breakfast Tea; May 27th, 2018 at 12:34 AM.