Escape HTML using jQuery [duplicate]

Question

I came up with a hack to escape HTML using jQuery and I'm wondering if anyone sees a problem with it.

$('<i></i>').text(TEXT_TO_ESCAPE).html();

The <i> tag is just a dummy as jQuery needs a container to set the text of.

Is there perhaps an easier way to do this? Note that I need the text stored in a variable, not for display (otherwise I could just call elem.text(TEXT_TO_ESCAPE);).

Thanks!

What do you exactly mean by “escape HTML”? Do you want to convert characters like <, > and & to their corresponding HTML entities? — Marcel Korpel
– Marcel Korpel, Commented May 16, 2011 at 16:59
your example could be shortened to: $('<i>').text(TEXT_TO_ESCAPE).html(); — Zach Lysobey
– Zach Lysobey, Commented May 8, 2013 at 19:33

mu is too short · Accepted Answer · 2013-09-20 17:47:04Z

62

That's a pretty standard way of doing it, my version used a <div> though:

return $('<div/>').text(t).html();

This isn't technically 100% safe though as Mike Samuel notes but it is probably pretty safe in practice.

The current Prototype.js does this:

function escapeHTML() {
    return this.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
}

But it used to use the "put text in a div and extract the HTML" trick.

There's also _.escape in Underscore, that does it like this:

// List of HTML entities for escaping.
var htmlEscapes = {
  '&': '&amp;',
  '<': '&lt;',
  '>': '&gt;',
  '"': '&quot;',
  "'": '&#x27;',
  '/': '&#x2F;'
};

// Regex containing the keys listed immediately above.
var htmlEscaper = /[&<>"'\/]/g;

// Escape a string for HTML interpolation.
_.escape = function(string) {
  return ('' + string).replace(htmlEscaper, function(match) {
    return htmlEscapes[match];
  });
};

That's pretty much the same approach as Prototype's. Most of the JavaScript I do lately has Underscore available so I tend to use _.escape these days.

edited Sep 20, 2013 at 17:47

answered May 16, 2011 at 17:06

mu is too short

436k71 gold badges863 silver badges822 bronze badges

Sign up to request clarification or add additional context in comments.

10 Comments

Mike Samuel Over a year ago

A lot of libraries do this. Just be aware that the result here is safe to embed in a PCDATA context and an RCDATA context, but not an attribute context since quotes are not escaped. If you might be susceptible to UTF-7 attacks and the like you should also escape '+': en.wikipedia.org/wiki/UTF-7#Security

mu is too short Over a year ago

@Mike: I don't think the .text(t).html() or Prototype's replace approaches are really that great, both approaches have problems. The lack of a encodeHTML() function in the standard JavaScript library is a gaping hole and a rather surprising oversight.

Marcel Korpel Over a year ago

@muis: I don't think so: the core JavaScript language is not specifically aimed at web browsers.

mu is too short Over a year ago

@Marcel: But we do have encodeURIComponent and JavaScript's roots are in web browsers. And, the fact that everyone ends up writing their own indicates that there is a gap in the standard libraries.

Michael Mior Over a year ago

@muis Thanks for the pointer to Prototype. It turns out that my proposed method doesn't work as I expect in some browsers (read: IE)

|

Mike Samuel · Accepted Answer · 2011-05-16 18:48:51Z

11

There is no guarantee that html() will be completely escaped so the result might not be safe after concatenation.

html() is based on innerHTML, and a browser could, without violating lots of expectations, implement innerHTML so that $("<i></i>").text("1 <").html() is "1 <", and that $("<i></i>").text("b>").html() is "b>".

Then if you concatenate those two individually safe results, you get "1 <b>" which will obviously not be the HTML version of the concatenation of the two plaintext pieces.

So, this method is not safe by deduction from first principles, and there's no widely followed spec of innerHTML (though HTML5 does address it).

The best way to check if it does what you want is to test corner cases like this.

edited May 16, 2011 at 18:48

answered May 16, 2011 at 17:03

Mike Samuel

121k30 gold badges230 silver badges255 bronze badges

2 Comments

Michael Mior Over a year ago

Actually, I want $("<i></i>").text("1 <").html() to be "1 <" and $("<i></i>").text("b>").html() to be "b>". (which works)

Mike Samuel Over a year ago

@Michael, if you've tested it on major browsers, and it works, great. As of 15 June, 2009, a current version of Safari actually unescaped > so <input name="Hello>World"> was returned via innerHTML as <input name="Hello>World">. That may have been fixed in modern browsers though. My point is that testing is the way to gain confidence.

Pointy · Accepted Answer · 2011-05-16 17:02:05Z

1

That should work. That's basically how the Prototype.js library does it, or at least how it used to do it. I generally do it with three calls to ".replace()" but that's mostly just a habit.

answered May 16, 2011 at 17:02

Pointy

415k62 gold badges600 silver badges631 bronze badges

Collectives™ on Stack Overflow

Escape HTML using jQuery [duplicate]

3 Answers 3

10 Comments

2 Comments

Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

10 Comments

2 Comments

Comments

Linked

Related