[English Breakfast Tea]

When it comes to htmlspechialchar html_escape etc etc..

Would it be safe to allow users to change the text like this?

Code:

$( function() 
          {
            $( "#plc_sub_headline" ).keyup(function() {
            $("#plc_preview").contents().find("#pre_headline_title").text($( "#plc_sub_headline" ).val());
          });

[requinix]

According to the docs,

We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML.

[English Breakfast Tea]

Hi I read

We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML.

It doesn't' make sense to me probably because my English isn't that good.

From what I see it doesn't seem to execute javascript! maybe because it's in an Iframe.

Which is weird because it looks like script tags

[requinix]

The most important part is the "does not interpret the string as HTML" at the end.

[English Breakfast Tea]

Originally Posted by requinix

The most important part is the "does not interpret the string as HTML" at the end.

And that means?

[requinix]

I've forgotten.

[English Breakfast Tea]

Love me like u do love love me love me like u do in other words, would it be safe to do this:

Code:

$( function() 
          {
            $( "#plc_sub_headline" ).keyup(function() {
            $("#plc_preview").text($( "#plc_sub_headline" ).val());
          })

======> This is the playground <======

[requinix]

Yes, though it would be slightly more efficient to

javascript Code:

$(function() {
	var preview = $("#plc_preview");
	$("#plc_sub_headline").keyup(function() {
		preview.text(this.value);
	});
});

Remember that every time you use $ jQuery has to evaluate the selector and find the element on the page. If the element isn't changing then don't make it do that every time.

[English Breakfast Tea]

Thank you

[English Breakfast Tea]

Is this secure?

Code:

function show_hide(item)
            {
                if($("#"+item+"_show").val()==0)
                    {
                        $("#"+item+"_hide_show_button").attr("class","fas fa-eye");
                        $("#"+item+"_show").val(1);
                        $("#"+item+"_row").removeClass("hide-me");
                    }
                else 
                    {
                        $("#"+item+"_hide_show_button").attr("class","fas fa-eye-slash");
                        $("#"+item+"_show").val(0);
                        $("#"+item+"_row").addClass("hide-me");
                    }    
            }
        function update_text(sender, receiver)
            {
                $("#"+receiver).text($("#"+sender).val());
            }

        function bg_color_change(row, color)
            {
                $("#"+row).css("background-color", "#"+color);
            }
        function color_change(row, color)
            {
               $("#"+row).css("color", "#"+color);
            }

Also I got an issue with nl2br

I want to replace the text on the page with the user's input in a textarea.

Code:

<textarea class="form-control page-text" rows="10" id = "page-text-textarea"><?php echo html_escape($page_text);?></textarea>

<button type="button" class="btn btn-info" onclick="update_page_text(); close_modal('page-text-modal');">Proceed</button>

The use is nort allowed to use any html elements. So I thought I just use .text:

$("#page-text").text($("#page-text-textarea").val());

The issue with this is that line breaks get lost. So I thought I use:

$("#page-text").html(textAreaContent);

The issue with this one is if the user adds < script > tags, they can run Javascript on the page and I don't want that.

How can I add user's line breaks only? Basically, apply something like this:

textAreaContent=$("#page-text-textarea").val().replace(/\n/g,"<br>");