#1
  1. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,461
    Rep Power
    221

    Is Jquery's .text() safe?


    When it comes to htmlspechialchar html_escape etc etc..

    Would it be safe to allow users to change the text like this?

    Code:
    $( function() 
              {
                $( "#plc_sub_headline" ).keyup(function() {
                $("#plc_preview").contents().find("#pre_headline_title").text($( "#plc_sub_headline" ).val());
              });
  2. #2
  3. Impoverished Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,739
    Rep Power
    9646
    According to the docs,
    We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML.
  4. #3
  5. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,461
    Rep Power
    221
    Hi I read
    We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML.
    It doesn't' make sense to me probably because my English isn't that good.

    From what I see it doesn't seem to execute javascript! maybe because it's in an Iframe.

    Which is weird because it looks like script tags
  6. #4
  7. Impoverished Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,739
    Rep Power
    9646
    The most important part is the "does not interpret the string as HTML" at the end.

IMN logo majestic logo threadwatch logo seochat tools logo