tags:

views:

146

answers:

2
+3  Q: 

Converting HTML to its safe entities with Javascript

I'm trying to convert characters like < and > into &lt; and &gt; etc.

User input is taken from a text box, and then copied into a DIV called changer.

here's my code:

function updateChanger() {
    var message = document.getElementById('like').value;
    message = convertHTML(message);
    document.getElementById('changer').innerHTML = message;
}

function convertHTML(input)
{
    input = input.replace('<', '&lt;');
    input = input.replace('>', '&gt;');
    return input;
}

But it doesn't seem to replace >, only <. Also tried like this:

input = input.replace('<', '&lt;').replace('>', '&gt;');

But I get the same result.

Can anyone point out what I'm doing wrong here? Cheers.

+4  A: 

A more robust way to do this is to create an HTML text node; that way all of the other potentially invalid content (there's more than just < and >) is converted. For example:

var message = document.getElementById('like').value;
document.getElementById('changer').appendChild(document.createTextNode(message));

UPDATE

You mentioned that your event was firing upon each key press. If that's what's triggering this code, you'll want to remove what was previously in the div before appending the text. An easy way to do that is like this:

var message = document.getElementById('like').value;
var changer = document.getElementById('changer');
changer.innerHTML = '';
changer.appendChild(document.createTextNode(message));
Jacob  2010-06-18 00:58:55
So all the HTML in the text node is safe? As in all the < and > and junk is converted to their entities?
VIVA LA NWO  2010-06-18 01:05:03
I ran into a problem, the `updateChanger()` function is called on keyUp, so it's constantly making a new text node when I type into the text field. Should I just create the text node on document.ready instead?
VIVA LA NWO  2010-06-18 01:07:26
Yes, it will treat your text as text rather than as markup, so it's equivalent to converting all the special characters.
Jacob  2010-06-18 01:08:55
As for your event firing, you can always clear the `div` first.
Jacob  2010-06-18 01:09:53
A: 

Try something like this:

function convertHTML(input)
{
  input = input.replace(/>/g, '&gt;');
  input = input.replace(/</g, '&lt;');

  return input;
}

replace only replaces the first occurrence of > or < in the string, in order to replace all occurrences of < or >, use regular expressions with the g param to ensure the entire string is searched for all occurrences of the values.

Bug Magnet  2010-06-18 01:02:13
You probably want to `return` the new value of `input`.
Marcel Korpel  2010-06-18 01:04:14
This solves my problem thanks, but Jacob's answer is a better way to do what I'm doing so I'll be accepting his. Thanks a lot though! :)
VIVA LA NWO  2010-06-18 01:04:18
No worries, I prefer Jacob's answer too and voted him up!
Bug Magnet  2010-06-18 07:35:09

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?