ansaurus

Question

why is '<' showing as <

Answer 1

+3 A:

< is the way to show "<" in html, which is produced from XMLHttpRequest. try using XMLRequest

KM 2009-06-11 15:39:18

More specifically, < and > are XML entities and not HTML entities.

DrJokepu 2009-06-11 15:42:38

@DrJokepu: They are HTML entities, not XML entity. XML use x;. To use < in XML, you need a DTD.

J-16 SDiZ 2009-06-11 16:03:25

@J-16 SDiZ you're wrong. Read the XML spec. http://www.w3.org/TR/2008/REC-xml-20081126/#sec-predefined-ent

ykaganovich 2009-06-11 17:15:30

Answer 2

+5 A:

XMLHttpRequest encodes the string before sending it. You will have to unescape the string. on the client side javascript, try using:

alert(unescape(returned_string))

Ryan Oberoi 2009-06-11 15:41:33

I don't think this will work for XML entities as (un)escape functions work on url encoding - e.g. replacing space with %20. Just try running alert(unescape("<")); (but not in onclick="" tag, in plain script definition.

Rashack 2009-08-10 09:20:26

Answer 3

A:

I don't think you can avoid that. It's how "<" is represented in HTML, and the result would be OK on your HTML page.

paradisonoir 2009-06-11 15:42:52

Answer 4

+2 A:

It is the entity reference for "<" while &gt ; is the entity reference for ">" you will need to unescape the string using the unescape() method

Matthew Vines 2009-06-11 15:43:29

Answer 5

A:

It might be better to send back a raw string with your message, and leave the client Javascript to create a div with class message1 to put it in. This will also help if you ever decide to change the layout or the style of your notices.

Paul Fisher 2009-06-11 15:52:54

Answer 6

+2 A:

Paul Fisher's answer is the right one. I'll take a moment to explain why. HTML-Encoding of content from the server is a security measure to protect your users from script injection attacks. If you simply unescape() what comes from the server you could be putting your users at risk, as well as your site's reputation.

Try doing what Paul said. It's not difficult and it's much more secure. Just to make it easier, here's a sample:

var divStuff = document.createElement('div');
divStuff.appendChild(containerElement);
divStuff.id = 'message1';
divStuff.innerHTML = getQuestion();

This is much more secure and draws a better separation for you presentation layer in your application.

Joe Davis 2009-06-11 16:08:21

In more complex Ajax cases, this is simply not possible. Rich UI elements are sent downstream. Security is mitigated as long as the content is generated on the server and stripped of tags/javascripts supplied from the external inputs.

Ryan Oberoi 2009-06-11 16:24:59

ansaurus

tags:

views:

answers:

why is '<' showing as <

related questions

ansaurus

tags:

views:

answers:

why is '<' showing as &lt;

related questions

why is '<' showing as <