Does anyone know of an easy way to escape HTML from strings in jQuery? I need to be able to pass an arbitrary string and have it properly escaped for display in an HTML page (preventing JavaScript/HTML injection attacks). I'm sure it's possible to extend jQuery to do this, but I don't know enough about the framework at the moment to accomplish this.
A:
No need for a jQuery function - it's built into JavaScript itself - encodeURIComponent()
ceejayoz
2008-08-24 04:02:55
That's URL escaping, not HTML escaping.
Grumdrig
2010-07-19 20:14:21
A:
@brad - escapeURIComponent() will work better than escape() for UTF-8 special characters like ö...
ceejayoz
2008-08-24 04:34:14
+14
A:
If you're escaping for HTML, there are only three that I can think of that would be really necessary:
html.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">");
Depending on your use case, you might also need to do things like " to ". If the list got big enough, I'd just use an array:
var escaped = html;
var findReplace = [[/&/g, "&"], [/</g, "<"], [/>/g, ">"], [/"/g, """]]
for(item in findReplace)
escaped = escaped.replace(item[0], item[1]);
escapeURIComponent() will only escape it for URLs, not for HTML.
tghw
2008-08-24 05:54:49
Jed Schmidt
2009-06-17 17:45:35
+37
A:
Since you're using jQuery, you can just set the element's text property:
// before:
// <div class="someClass">text</div>
var someHtmlString = "<script>alert('hi!');</script>";
$("div.someClass").text(someHtmlString);
// after:
// <div class="someClass"><script>alert('hi!');</script></div>
travis
2008-08-24 17:22:15
You missed the point that you have to access $("div.someClass").html() to get the escaped version out.
Morten Christiansen
2009-01-30 20:17:51
A:
Thanks for the answers! I agree, escapeURIComponent() isn't exactly what I was looking for since it is meant for escaping URLs and not HTML. I didn't realize that .text() in jQuery would escape my HTML strings. That is really what I was looking for. Thanks @travis!
Page Brooks
2008-08-24 17:37:16
A:
Instead of using jQuery I use the below function to strip out HTML.
function stripHTML(string) {
return string.replace(/<(.|\n)*?>/g, '');
}
Jahangir
2008-09-16 07:41:12
+22
A:
$('<div/>').text('This is fun & stuff').html(); // "This is fun & stuff"
Source: http://debuggable.com/posts/encode-html-entities-with-jquery:480f4dd6-13cc-4ce9-8071-4710cbdd56cb
Could the original poster edit the question title to clarify this question is about HTML entity escaping, not URL encoding?
Henrik N
2008-12-17 10:28:45