Usage: Escape HTML problem

Question

I ran into an interesting problem.

In our webpage a user can write their own description. We escape all text to make it easy to write (<3 shows up properly and isnt the start of a tag). This also avoids any problems with trying to inject their javascript code or hide something or do anything with html.

A side effect is when a user writes

Hi

My name is

shows up as

Hi My name is

Initially we (really i) wrote var desc = (SafeHtml)obj.desc.HtmlEscape.replace("\n", "\n<br>") however this doesnt replace anything because what really happens is \n is replaced as #&10; since all characters < 0x20 (<--i think) needs an escape to be represented in html.

So my question is, am i doing things right? I changed the replace to ("&#10;", "\n<br/>");. Is this the right way? Escape everything and replace characters you deem 'legal'? ATM i cant think of any other characters to escape.

Answer 1

That's how I'd do it - escape everything, and then replace safe escaped sequences. That said, I don't think you need to replace all characters < 0x20 - I'd leave 0x10 (newline) and 0x13 (carriage return) alone in the escaping step, and then replace them by <br />. Doesn't make much difference though.