开发者

JQuery append without HTML?

问答 作者:

Hello I'm having XSS Vulnerability using jQuery's .append() function

what I'm doing is appending raw chat messages coming from users and I don't want to strip html tags serversided or clientsided I just want to display them. Yet jquery's .append() method renders the html markup.

anyway to do like appendText()? I tried .text() but it doesn't work properly generating the proper html.

I currently use.

  var li = $('<div></div>').addClass('chatmsg');
  var al = $('<span></span>'开发者_运维百科).addClass(chatClass).text("You");
  li.append(al);
  li.append(" " + msg);
  $('.chat').append(li);

How can I fix the li.append(" " + msg);

line to ignore rendering html thank you, without anything advanced like regular expressions and such.

Thanks

You can change it just a bit, like this:

var li = $('<div />', { text: ' ' + msg, 'class': 'chatmsg' });
var al = $('<span />', { text: 'You', 'class': chatClass });
li.prepend(al);
$('.chat').append(li);

This is calling .text() under the covers, encoding anything that might be in msg.

You can use the following function:

function htmlEncode(value){ 
  return $('<div/>').text(value).html(); 
}

So your code becomes:

  var li = $('<div></div>').addClass('chatmsg');
  var al = $('<span></span>').addClass(chatClass).text("You");
  li.append(al);
  li.append(" " + htmlEncode(msg));
  $('.chat').append(li);

继续阅读:appendjqueryxss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9