views:

1377

answers:

3

I have some Javascript code that communicates with an XML-RPC backend. The XML-RPC returns strings of the form:

<img src='myimage.jpg'>

However, when I use the Javascript to insert the strings into HTML, they render literally. I don't see an image, I literally see the string:

<img src='myimage.jpg'>

My guess is that the HTML is being escaped over the XML-RPC channel.

How can I unescape the string in Javascript? I tried the techniques on this page, unsuccessfully: http://paulschreiber.com/blog/2008/09/20/javascript-how-to-unescape-html-entities/

What are other ways to diagnose the issue?

+12  A: 

I use the following method:

function htmlDecode(input){
  var e = document.createElement('div');
  e.innerHTML = input;
  return e.childNodes[0].nodeValue;
}

htmlDecode("&lt;img src='myimage.jpg'&gt;"); 
// returns "<img src='myimage.jpg'>"

Basically I create a DOM element programmatically, assign the encoded HTML to its innerHTML and retrieve the nodeValue from the text node created on the innerHTML insertion.

It will work cross-browser accepting all the HTML Character Entities.

CMS
Got it, you changed to ', so let me delete my comment back, thx, its working great, +1
S.Mark
@S.Mark: `'` doesn't belongs to the HTML 4 Entities, that's why! http://www.w3.org/TR/html4/sgml/entities.html http://fishbowl.pastiche.org/2003/07/01/the_curse_of_apos/
CMS
Oh, Thats great to know that, thanks for info.
S.Mark
See also @kender's note about the poor security of this approach.
Joseph Turian
See my note to @kender about the poor testing he did ;)
Roatin Marth
Also, nice answer.
Roatin Marth
+1  A: 

Not a direct response to your question, but wouldn't it be better for your RPC to return some structure (be it XML or JSON or whatever) with those image data (urls in your example) inside that structure?

Then you could just parse it in your javascript and build the <img> using javascript itself.

The structure you recieve from RPC could look like:

{"img" : ["myimage.jpg", "myimage2.jpg"]}

I think it's better this way, as injecting a code that comes from external source into your page doesn't look very secure. Imaging someone hijacking your XML-RPC script and putting something you wouldn't want in there (even some javascript...)

kender
Does the @CMS approach above have this security flaw?
Joseph Turian
I just checked the following argument passed to htmlDecode fuction: htmlDecode("<img src='myimage.jpg'><script>document.write('xxxxx');</script>") and it creates the <script></script> element that can be bad, imho. And I still think returning a structure instead of text to be inserted is better, you can handle errors nicely for example.
kender
I just tried `htmlDecode("<img src='myimage.jpg'><script>alert('xxxxx');</script>")` and nothing happened. I got the decoded html string back as expected.
Roatin Marth
+5  A: 

If you're using jQuery:

function htmlDecode(value){ 
  return $('<div/>').html(value).text(); 
}

Otherwise, use Strictly Software's Encoder Object, which has an excellent htmlDecode() function.

cxfx