#1
  1. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221

    Is Jquery's .text() safe?


    When it comes to htmlspechialchar html_escape etc etc..

    Would it be safe to allow users to change the text like this?

    Code:
    $( function() 
              {
                $( "#plc_sub_headline" ).keyup(function() {
                $("#plc_preview").contents().find("#pre_headline_title").text($( "#plc_sub_headline" ).val());
              });
  2. #2
  3. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,905
    Rep Power
    9646
    According to the docs,
    We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML.
  4. #3
  5. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    Hi I read
    We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML.
    It doesn't' make sense to me probably because my English isn't that good.

    From what I see it doesn't seem to execute javascript! maybe because it's in an Iframe.

    Which is weird because it looks like script tags
  6. #4
  7. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,905
    Rep Power
    9646
    The most important part is the "does not interpret the string as HTML" at the end.
  8. #5
  9. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    Originally Posted by requinix
    The most important part is the "does not interpret the string as HTML" at the end.
    And that means?
  10. #6
  11. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,905
    Rep Power
    9646
  12. #7
  13. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    Love me like u do love love me love me like u do in other words, would it be safe to do this:

    Code:
    $( function() 
              {
                $( "#plc_sub_headline" ).keyup(function() {
                $("#plc_preview").text($( "#plc_sub_headline" ).val());
              })
    ======> This is the playground <======
  14. #8
  15. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,905
    Rep Power
    9646
    Yes, though it would be slightly more efficient to
    javascript Code:
    $(function() {
    	var preview = $("#plc_preview");
    	$("#plc_sub_headline").keyup(function() {
    		preview.text(this.value);
    	});
    });

    Remember that every time you use $ jQuery has to evaluate the selector and find the element on the page. If the element isn't changing then don't make it do that every time.
  16. #9
  17. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    Thank you
  18. #10
  19. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    Is this secure?

    Code:
    function show_hide(item)
                {
                    if($("#"+item+"_show").val()==0)
                        {
                            $("#"+item+"_hide_show_button").attr("class","fas fa-eye");
                            $("#"+item+"_show").val(1);
                            $("#"+item+"_row").removeClass("hide-me");
                        }
                    else 
                        {
                            $("#"+item+"_hide_show_button").attr("class","fas fa-eye-slash");
                            $("#"+item+"_show").val(0);
                            $("#"+item+"_row").addClass("hide-me");
                        }    
                }
            function update_text(sender, receiver)
                {
                    $("#"+receiver).text($("#"+sender).val());
                }
    
            function bg_color_change(row, color)
                {
                    $("#"+row).css("background-color", "#"+color);
                }
            function color_change(row, color)
                {
                   $("#"+row).css("color", "#"+color);
                }
    Also I got an issue with nl2br

    I want to replace the text on the page with the user's input in a textarea.

    Code:
    <textarea class="form-control page-text" rows="10" id = "page-text-textarea"><?php echo html_escape($page_text);?></textarea>
    
    <button type="button" class="btn btn-info" onclick="update_page_text(); close_modal('page-text-modal');">Proceed</button>
    The use is nort allowed to use any html elements. So I thought I just use .text:

    $("#page-text").text($("#page-text-textarea").val());

    The issue with this is that line breaks get lost. So I thought I use:

    $("#page-text").html(textAreaContent);

    The issue with this one is if the user adds < script > tags, they can run Javascript on the page and I don't want that.

    How can I add user's line breaks only? Basically, apply something like this:

    textAreaContent=$("#page-text-textarea").val().replace(/\n/g,"<br>");
    Last edited by English Breakfast Tea; May 27th, 2018 at 12:34 AM.

IMN logo majestic logo threadwatch logo seochat tools logo