How to avoid double HTML escaping text?

In my application, there are times when some text may or may not be html escaped (depending on where the data came from). I want to ensure the non-escaped text gets escaped, but the already escaped text doesn't get escaped again.

How do p开发者_运维技巧eople typically solve this?

You can't tell from the data.

For example:

Bob & Alice

… could be "The HTML representation of Bob & Alice" or it could also be "The plain text representation of Bob & Alice" (e.g. from an HTML tutorial).

Since you say:

depending on where the data came from

… keep track of where it comes from, and make sure you know if a source provides trusted HTML or plain text.

If you don't know, then how you handle it will depend on the context. The safe option would be to assume it is always plain text and thus always encode it. That will protect you from scripting injection attacks.

One way is to unescape the string and compare it to the original. If it is the same, the original is unescaped data, otherwise it is escaped data.

var str = '<data>';

// Escape unescaped data
if (unescape(str) === str) {
   str = escape(str);
} 

Unescape text before escaping it.