tags:

views:

1329

answers:

2
+3  Q: 

Escaping text with jQuery append?

I know that I can use $.html to set the HTML content of something, and $.text to set the content (and that this escapes the HTML).

Unfortunately, I'm using $.append, which doesn't escape the HTML.

I've got something like this:

function onTimer() {
    $.getJSON(url, function(data) {
        $.each(data, function(i, item) {
           $('#messages').append(item);
        }
    }
}

...where the url returns an array of strings. Unfortunately, if one of those strings is (e.g.) <script>alert('Hello')</script>, this gets executed.

How do I get it to escape HTML?

+6  A: 

You're appending an element which already has content? Or you're adding the content after you append? Either way, you still need to do .text(...) on that element.

If you're using append and passing HTML as the argument, then try creating the element first, and passing it to append.

Ex:

$('<div></div>').text('your content here').appendTo('div#someid')
Matt  2009-06-03 12:29:16
Won't this wrap the text in a DIV? I can't see how that would be desired most of the time.
Paolo Bergantino  2009-06-03 13:01:47
That works, but it seems a bit clunky. Do you want to throw in an explanation of how it works and why I'd want to use it?
Roger Lipscombe  2009-06-03 13:03:31
Aha. I start to see it. It doesn't seem that you can open a tag -- i.e. $('#x').append('<strong>'); and close it again later. You seem to need your scheme.
Roger Lipscombe  2009-06-04 12:51:21
+5  A: 

Check out how jQuery does it:

text: function( text ) {
 if ( typeof text !== "object" && text != null )
  return this.empty().append( (this[0] && this[0].ownerDocument || document).createTextNode( text ) );

 var ret = "";

 jQuery.each( text || this, function(){
  jQuery.each( this.childNodes, function(){
   if ( this.nodeType != 8 )
    ret += this.nodeType != 1 ?
     this.nodeValue :
     jQuery.fn.text( [ this ] );
  });
 });

 return ret;
},

So something like this should do it:

$('#mydiv').append(
    document.createTextNode('<b>Hey There!</b>')
);

EDIT: Regarding your example, it's as simple as:

$('#messages').append(document.createTextNode(item));
Paolo Bergantino  2009-06-03 12:30:12

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript