5

The problem is this:

You have a textbox, you type in some text, send it to the server. On another page, that value is retrieved and displayed on screen in a textbox and a label.

It's important to stop scripting attacks, and asp.net won't let you submit unsafe code, so on submit you javascript replace < with &lt; and the same for >

When the values are retrieved from the server, they will come back with &lt; and &gt; which is fine for displaying in the label, but when put into the textbox, they must be replaced back to < and >

The data should be stored securely in the database as other people might use this content. From a safety point of view I'd like to call htmlencode on it then store it. It is this encoded html I'd like to display in the label on the client, but the decoded version I'd like to display in the textbox.

So what I need, is a htmldecode solution in javascript. htmlencode/decode replaces more than just < > and without a definitive list I can't create my own method. Is there a solution out there?

Improve this question
1
  • 1
    I wouldn't do the cleaning of input on the client side. How does that stop scripting attacks? Make sure you clean the submitted string on the server side. Commented Oct 31, 2012 at 5:51

1 Answer 1

Reset to default
4

Instead of trying to turn a string of text into HTML and then adding it to the document using innerHTML; use standard DOM methods.

myElement.appendChild(
    document.createTextNode(myString)
);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.