JSP/Javascript/JQuery: store html/javascript content in a variable + write it to textarea

Question

Hello, I'm using a json object to store different bits of content, one of which can contain javascript & html relevant content (like quotes, semicolons, tags etc) which without encoding can break the page. To work around this I'm using:

"content":"<%=StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeJavaScript(content))%>"

(I'm using JSP as server-side technology and this is a bit of the JSON generated inline when the page is loading)

This works fine to escape any character that might break the page, but I now need to get the content from this variable to a textarea.

$('textarea').val(obj.content);

What I'm trying to avoid is the double-encoding that happens at this point:

• the original content is: <script>alert("hello world");</script>
• the content variable holds: <script>alert("hello world");</script>
• the text in the textarea reads: <script>alert("hello world");</script> when it should read <script>alert("hello world");</script>

Any way of making this work?

Answer 1

Just put it in unescape. I mean $('textarea').val(unescape(obj.content));

Answer 2

Would you be able to use StringEscapeUtils.escapeJavaScript instead? If the JSON is in a <script> block that should be sufficient to avoid breaking the page and no decoding will be necessary.

Answer 3

How about $('textarea').html(obj.content); ?

In my tests, using the html function instead of val does the HTML entity decoding for you.