Need some kind of escape/stripTags functionality

Bug #342212 reported by Michael Nelson
6
Affects Status Importance Assigned to Milestone
LAZR Javascript Library
Triaged
Low
Unassigned

Bug Description

AFAICS, YUI doesn't have any built-in functionality like prototype's escapeHTML:

http://www.prototypejs.org/api/string/escapeHTML

The JS build-in escape() is no good, as it does urlencoding, so spaces become %20's.

We can temporarily use:

"<script>my bad stuff</script>".replace(/<([^>]+)>/g,'');

to strip out tags, but I don't think this is safe with different character sets.

BTW: Unless I'm missing something, it's not trivial to do it without the regexp.

Revision history for this message
Edwin Grubbs (edwin-grubbs) wrote :

A simple, and probably more efficient way to escape the text is to use document.createTextNode(), but you need to append that node as opposed to just setting innerHTML. If you want to replace the entire content, it can be done by calling:

container.set('innerHTML', '');
container.appendChild(document.createTextNode(a_string_containing_html));

However, I don't think that the FormOverlay.showError() method is the right place to escape HTML, since it limits the ability of pages using that widget to format the error message. Since most errors messages containing potentially bogus HTML will come from the REST API, we could have the javascript REST client escape the response.responseText.

Revision history for this message
Paul Hummer (rockstar) wrote :

javascript has the escape() function. Use it. Love it.

Changed in lazr-js:
status: New → Invalid
Revision history for this message
Edwin Grubbs (edwin-grubbs) wrote :

The bug description explains that javascript's escape() won't work. It will convert "<" to "%3C". We really don't want to make text with html tags in it completely unreadable. We just want to make it safe to display.

Changed in lazr-js:
status: Invalid → New
Paul Hummer (rockstar)
Changed in lazr-js:
status: New → Triaged
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.